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Preface 



This volume contains the papers presented at the Sixth International Conference 
on Logic for Programming and Automated Reasoning (LPAR’99), held in Tbilisi, 
Georgia, September 6-10, 1999, and hosted by the University of Tbilisi. 
Forty-four papers were submitted to LPAR’99. Each of the submissions was 
reviewed by three program committee members and an electronic program com- 
mittee meeting was held via the Internet. Twenty-three papers were accepted. 
We would like to thank the many people who have made LPAR’99 possible. We 
are grateful to the following groups and individuals: to the program committee 
and the additional referees for reviewing the papers in a very short time, to 
the organizing committee, and to the local organizers of the INTAS workshop 
in Tbilisi in April 1994 (Khimuri Rukhaia, Konstantin Pkhakadze, and Gela 
Chankvetadze) . And last but not least, we would like to thank Konstantin Ko- 
rovin, who maintained the program committee Web page; Uwe Waldmann, who 
supplied macros for these proceedings amd helped us to install some programs for 
the electronic management of the program committee work; and Bill McCune, 
who implemented these programs. 
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Andrei Voronkov 
LPAR’99 Program Chairs 
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Proofs About Lists Using Ellipsis 



Alan Bundy and Julian Richardson* 

Institute for Representation and Reasoning 
University of Edinburgh 

80 South Bridge, Edinburgh EHl IHN, Scotland, 
a . bundyfled .ac.uk , Julian . richeurdsonOed .ac.uk 



Abstract. In this paper we explore the use of ellipsis in proofs about 
lists. We present a higher-order formulation of elliptic formulae, and de- 
scribe its implementation in the \Clam proof planner. We use an un- 
ambiguous higher-order formulation of lists which is amenable to formal 
proofs without using induction, and to display using the familiar ... no- 
tation. 



1 Introduction 

A notation often used in informal mathematical proofs is ellipsis (the dots in 
ai + ... + a„). Not only does the use of ellipsis make mEuiy proofs much easier 
to understand, but it also naturally lends itself to theories where induction has 
been replaced by suitable axioms. 

Ellipsis can be used to abbreviate many different kinds of formuleie; in this 
paper, we explore the use of ellipsis in proofs about lists. This allows us to 
address important issues in the automatic treatment of ellipsis and, while we do 
not extensively consider it here, can be extended by applying fold functions (see 
for example equation (2) below and §11) to reasoning about elliptic formulae in 
which the main connective is not list cons. We present a higher-order formulation 
of elliptic formulae, and describe its implementation in the A Clam proof planner 
[8]. To resolve the ambiguities inherent in elliptic representation, we use an 
underlying un^lmbiguous representation which is portrayed by ellipsis. We define 
a higher-order function □ which represents a list by the length of the list and 
a function which takes a natural number n and returns the n** member of the 
list. 

Displaying proofs in elliptic notation poses interesting challenges. One step of 
a proof in the elliptic notation may require several steps in the implementation. 
The display mechanism cem itself perform quite sophisticated rewriting in order 
to get a useful portrayal of a formula. The portrayal system cannot just be bolted 
on top of the theorem prover but must itself influence the way in which proofs 
are carried out; ensuring that formulae ane in a form for which elliptic portrayal 
is effective imposes restrictions on the order in which proof steps are applied. 

* The authors gratefully acknowledge the support of EPSRC grants GR/L/11724 emd 
GR/M/45030, and the comments of their colleagues in the MathematicaJ Reckoning 
Group. We would also like to thank the referees for their insightful comments. 
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2 A Motivating Example 

We consider two alternative definitions of a foldl function, one a recursive defi- 
nition, the other an elliptic definition. The recursive definition is given in (1). 

foldli^,A,W) = A 

foldl{®, A, [H\T]) = foldl{^, A®H,T) (1) 

How quickly can you spot what this function does? Compare this with an elliptic 
definition: 

foldl{®,A, [Ei,E2,..- ,£^n]) = (. . . (/I (8) £^i) i8i £ 2 ) g) . . . ® £n) (2) 

Do you find that easier to understand? 

If you are like us, you find (2) much easier to understzind thcin (1). In fact, 
one can argue that (2) is the real meaning of foldl, and (1) is merely the best 
way to represent this meaning in most logics. Unfortunately, (2) is not normally 
available because ellipsis is not usually a legal part of the syntax. 

We will call formulae like (2) schematic, because we can think of it as a 
schema standing for an infinite number of formulae: one for each n. Imagine we 
had a logic in which schematic formulcie were legal syntajc and in which (2) was 
the definition of foldl. We will call this a schematic logic. Such a logic was used 
in [1] to represent genercilised proofs. Rrom time to time other people propose 
such logics, e.g. [6]. 

We can use definition (2) to prove the following theorem: 

foldl{®, A,[Ex,... , £„_i , £„]) = foldl{®, A,[Ei,... , £„-i]) 8) £„ 

This is a trivial theorem in the schematic logic. It requires just two applications of 
definition (2). We must only be careful to insert the condition that 1 < n, so that 
the right hand side is meaningful. By contrast the usual inductive proof using 
(1) is less immediately understandable as it requires induction and choosing an 
appropriate instantiation for the A in the induction hypothesis.* 

It seems that schematic definitions and proofs that use them can be easier to 
understand than their regular counterparts. It is often possible to avoid induction 
by using a generalised schematic proof, i.e. one in which ellipsis is used in the 
proof as well as the formulae. 

There are several problems which must be solved to madce this possible: 

1. Ellipsis can be ambiguous. There has to be a mechanism for deciding what is 

elided in the For exeunple, what is meeint by [£ 2 , •,£i6]? Does the list 

have 15, 8, 4 or some other number of elements? In the preceding examples, 
the mecining of the ellipsis is clear, but in general it may be necessary to 
restrict the use of ellipsis to those cases that are unaunbiguous, if we can 
decide what those Eire. 

* If A is not universally quantified in the conjecture, then cin additional generalisation 
step is required in the inductive proof. 
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2. It is necessary to keep track of conditions, like 1 < n in the proof above, 
which 2 ire needed to ensure that schematic formulae ^lre well formed. This 
can get quite hard. 

3. We might want to translate the resulting schematic proof into a proof in a 
regular logic. Writing the tactics for this would be a challenge. 

In the sections which follow, we present a representation of lists which lends 
itself both to formal proof and to elliptic proof and portrayal. To address (1) 
above, we do not consider the input of formulae which contadn ellipsis, but £iim 
instead merely to portray formulae using ellipsis in a predictable way which 
is unambiguous to the reader. We address (2) by disregarding well-formedness 
conditions in our initial implementation and checking mEinuailly to ensure that 
ill-formed formulae do not appear in the proof. The proofs we construct are 
proofs in a higher-order logic, so no translation is necessary to satisfy (3) above. 

3 The Representation of Ellipsis 

3.1 The Ambiguity of Ellipsis 

The first problem in formalising ellipsis is its inherent ambiguity. The reader of 
a formula contciining ellipsis has to induce a pattern from the expressions on 
either side of the dots. For instance, it is necessary to induce that ai -I- . . . -I- a„ 
means Oj and not Srii /2 ® 2 .ii say, t.e. that the numbers go up in ones 
not twos — or threes — or in some more complicated pattern. One can try to 
disambiguate ellipsis by putting in more context, e.g. oi + 02 -I- . . . -f- ««, but 
some ambiguity will always remain. 

More importantly, it is hard to see how we can ensure that a “proof” is in fact 
a proof unless it can be expressed in an unambiguous internal representation. 



3.2 An Unambiguous Representation 

K an unambiguous internal representation is needed anyway, then why not use 
this instead of ellipsis? Ellipsis can be used as an external ‘portray’ form of 
this unambiguous representation. This will avoid the need for constant pattern 
recognition to figure out what is going on, but externally can be indistinguish- 
able. Pattern recognition would be needed only if ellipsis is used when inputting 
formulae. This is the view we adopt here. 

For n-ary sums and products we already have such m unaunbiguous notation 
in Y!, and FI- However, we don’t have such a notation for lists, sequences or other 
n-ary operations. The main focus of this paper is to introduce a similar notation 
for lists. This notation is then used for representing sequences and any other use 
of ellipsis. We will use the notation □ in a similEir way to or J]- 
□ is a polymorphic, second order function of type: 



□ : {nat -¥ {nat t)) list(r) 
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Its first argument is the length of the list. It applies the function to each of the 
natural numbers 1, 2, etc. up to this length and returns a list of the results, i.e. 



Note that we use function application instead of subscripts, so a subscribed 
term o; is represented by a function application a(i). 

4 The Axiomatisation of □ 

□ can be defined recursively as follows (where :: cind <> are infix cons and 
append respectively); 



□(0, F) = nil 

a(siN),F) = a(N,F) <> iF(s{N)) :: nil) 

Or, alternatively, as: 

□(0,F) = ml 

□(s(iV),F) = F(I) :: D(N,M. F{s{i))) 

Armed with □ we can avoid much of the need for recursion in defining new 
functions (c/. the work of Bird [2]). All we need is an axiom that says that all 
lists can be put in □ form, i.e. 

'iL:list{r), 3n:nat,3f : (not —^t).L = n(n, /) 

Then we can define len, <> (infix append) and rev as: 

len(0(iV,F)) = JV 

rev{n{N,F)) = a{N,Xi. F{s{N) - i)) 

0(M, F) <> a{N, G) = n(M + N, comb{M, F, G)) 

where comb is defined by: 

These definitions should be portrayed, in elliptic notation, as: 

/en([F(l),...,F(iV)]) = Ar 
ren([F(l),... ,F{N)]) = [F(iV), . . . ,F(1)] 
[F(1),...,F(M)] <>[G(1),...,G(AT)]) = 

[F(l),...,F(M),G(l),...,G(iV)] 
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5 Proofs Using Ellipsis 

As so many of the definitions are non-recursive, the proofs can be non-inductive. 
In this section we present an example. 



5.1 Rotate Length 

Consider the classic rotate-length conjecture: 

rot{len{L),L) = L 

Informally, rot{N,L) returns a list with the same length as the list L but 
with the first N elements removed from the front and appended to the end. Here 
is a definition of rot using ellipsis: 

M < N rot{M,0{N,F)) = n{N - M,Xi . F{M + i)) <> □(M,F) 

In elliptic notation, this definition translates to: 

rof(M, [F(l), ..., F{N)]) = [F{M + 1), ..., F{N)] <> [F{1), ..., F{M)] 

Then the □ proof is: 

rot{len{a{N,F)),0{N,F)) = rot(N,0{N,F)) 

= n{N - N, M. F{N + i)) <> a{N, F) 

= 0(0, XL F(N + i))<> a{N, F) 

= a(0 + N,c(mib{0,Xi. F{N + i),F)) (4) 

= a{N,F) 



or in elliptic notation: 

rotileni[F{l ), . . . , F(7V)]), (F(l), .... F(N)]) 

= rot{N,[Fil),... ,F(N)]) 

= Qo[P(l),...,F(iV)] 

= [F{1),...,F{N)] 

For comparison, XClam cannot prove this theorem using its standard induc- 
tive strategy. The Clam proof planner [4] is unable to prove this theorem without 
using critics [5] . Both Clam and X Clam are able to prove the generalised theorem 
rot{len{l),l <> m) = (m <> 1). 

6 Elliptic Portrayal 

The key to the success of this technique is that the internal □ notation can 
be portrayed in an intuitively satisfying external elliptic notation. A compari- 
son of the number of steps in the formal (four steps), versus the informal (two 
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steps), proofs above indicates that there need not be a 1-1 correspondence be- 
tween proof steps in the formal and informal proofs, and conversion between 
the two representations may not be entirely straightforward. Rewriting is often 
required to process the internal representation into a portrayable form. For ex- 
ample, correct portrayal of (4) above requires two rewrites: 0 + N N, and 
comb{0,Xi. F{N + i),F) => F. Sometimes internal proof steps cannot be por- 
trayed at all and must be omitted, leading to a mismatch between internal and 
external proof steps. 

Consider, for instance, the definition of append: 

□(M,F) <> a(N,G) = D(M -1- N,comb{M,F,G)) 
which we would like to portray as: 

[F(l),...,F(M)]o[G'(l),...,G(iV)]) = 

[F(1),...,F(M),G(1),...,G(AT)] 

Firstly, note that we do not want the internal function comb to appear at all. 
We want to evaluate expressions like comb(M,F,G){M + N) to G(N), which 
requires the rewriting: 

ccmb{M, F, G){M -f iV) =» G{M + N - M) 

=>G(N) 

In general, there is no limit to the amount of rewriting that might be required 
here. A lot of conjectures can be proved, however, by normalising arithmetic 
expressions when possible, and applying a few rewrite rules concerning comb 
and similar functions. 

Secondly, note that which elements of the list we portray is very context 
sensitive. We do not always want to portray just the first and last elements, 
but also the elements either side of significant boundaries. In general, detecting 
such critical boundaries involves solving inequedities over the natural numbers 
modulo some domain theory. Inequality reasoning is not implemented in the 
current system. This limits both portrayal and proof to a small but interesting 
class of examples. 

7 Implementation 

We have implemented a system for reasoning about ellipsis in lists in the higher- 
order proof planner, XClam [8]. XClam provides a convenient basis for our im- 
plementation because we need to reason carefully about higher-order functions 
and variable scope; correct reasoning about functions and variable scope is built 
into XClam’ s underlying metartheory. 

The implementation consists of a number of proof plamning methods [3] and 
some code for portraying elliptic formulae. 
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7.1 Portrayal 

The bulk of the work which is necessary during portrayal is normalisation of 
arithmetic expressions. For example, portraying □(« — (m + (n — 1)) + (m + 
1 +n),F) as the elliptic term [P(l), ...,F{n — (m + (n — 1)) + (m + 1 + n))] is 
both ugly and destroys the simplicity of presentation which is the main point of 
the exercise. The first step in elliptic portrayal is therefore to simplify the first 
argument as much as possible using a procedure which normalises expressions 
built from positive integer constants, variables, + and -. The above example is 
correctly portrayed by our implementation as [(F 1), ..., {F (n + 2))]. 



7.2 Methods 

\Clam was extended with a new proof planning method: boxintro, which con- 
verts conjectures about lists in the standard notation to conjectures about lists 
in the □ notation. Every universal quantifier V/ : hst(r) is replaced by two 
quantifiers Vn : nat 'if : nat -¥ r, and the occurrences of I which 2 ire in this 
quantifier’s scope are replaced by 0 ( 71 , /). Occurrences of nil in the conjecture 
are replaced by □(zero, (Ax . x)). 

In addition, A Clam’s symbolic evciluation (exhaustive rewriting) method has 
been modified to apply equations which simplify expressions involving naturcd 
numbers before other equations.^ This is necessary in order to help the portrayal 
code simplify arithmetic expressions as soon as possible and thereby avoid por- 
trayals such as [Fi (s(/en([Fi (1), ...Fi (Vo)]))), ..., Fi (Vo)j, which was produced by 
an early version of the system (and in fact turned out to be [], a fact which is 
only apparent after equation (lengths) (see below) has been applied). 

In the following sections we give some example output from the system, and 
discuss the issues it raises. 



8 An Example: The Rotate Length Theorem 

The rotate-length example of §5.1 cannot be proved by the standard version of 
\Clam} Using ellipsis, it is proved automatically by XClam using only repeated 
rewriting. For clarity, in the presentation below, we have removed quantifiers, 
written equedity in infix form, and written function applications as /(x) insteEid 
of / X. The elliptic parts of the presentation are however as produced by the 
system. 

The following rewrite rules are used: 

* XClam applies the equations exhaustively but does not currently try to reduce arith- 
metic expressions to a normetl form. 

® Clam can prove it but only with the md of a critic. 
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len{[F{l),...,F(N)])^N 

rot(M,[F(l),...,F(iV)])=> 

[F(M + 1),...,F{N)] <> [F(1),...,F(M)] 

N-N=^0 

[F(1),...,F{N)] <> (G(l),...,G(M)]=i- 

[F(l),...,F(iV),G(l),...,G(M)] 

0 + A:=J- A 

a{N, (combiO, F, G))) =» Q(N, G) 

X = X => trueP 



(lengths) 

(rotl) 

(minus4) 

(boxS) 

(pluszeroleft) 

(combdef2) 

(idty) 



\Clam automatically constructs the proof below. In this presentation, we use 
the notation .(1 name to indicate application of a rewrite rule {name). 



h rot(Zen([Fi(l),...Fi(Vh)]),(Fx(l),...Fi(V'o)] = [Fi(l), ...Fi(Vo)]) 

li lengthd 

h rot(Vo,[Fi(l),...Fi(ro)]) = [Fi(l),...Fi(Vo)l 
H rotl 

h D <> [Fi(l),...Fi(Vb)l = [Fi(l),...Fi(Vi,)] 

1). minusA 

h a <> [Fi(l),...Fi(Vb)] = [Fi(l),...Fi(Vh)] 

If boxZ 

h [Fi(l),...Fi(Vh)] = [F,(l),...Fi(Vo)] 

1) pluszeroleft 

h [Fi(l),...Fi(Vo)l = [Fi(l),...Fi(V^o)] 

1). combdef2 

[Fi(l),...Fi(Vb)] = [Fi(l),...Fi(Vb)] 

D- idty 
h trueP 

Three proof steps — application of equations minusA, pluszeroleft, and 
combde f2 — do not change the portrayed form of the proof. They should there- 
fore be completely suppressed, or only reported briefly. 

9 Results 

All of the theorems about lists in the standaird corpus of Clam were imported 
into XClam. Systematic tests showed that our initial implementation of ellipsis 
proves, without list induction, 50% of the test theorems which XClam proves with 
list induction. The results are tabulated in figure 1. One additional theorem (the 
last one in figure 1) was added to the test set; the ungeneralised form which was 
presented in §5.1 of the rotate-length conjecture. 

The tested version of XClam was unable to prove the member examples 
because of a problem using the definition of member which is suitable for elliptic 

* It is interesting to ponder to what extent there is a correspondence between these 
“null” proof steps and proof steps which would be considered “trivial” by a humm. 
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proofs — member{x, Cl(n, F)) 3t < n . x = F{i). We expect to fix this problem 
soon. 

We plan to increase this 50% figure in three steps: 

1. Fixing the problem which prevented the application of the elliptic definition 
of member. 

2. Implementation of a method for normalising arithmetic expressions in XClam. 
Currently, the portrayal code is able to normalise arithmetic expressions but 
XClam is not. 

3. Implementation of conditional rewriting and methods for solving simple in- 
equalities. This third step should enable the system to prove using ellipsis 
all of the theorems that XClam can prove using induction, and more besides. 



Conjecture 


Ellipsis 


List Induction 


1 <> nil = 1 


Y 


Y 


reverse(l) <> reverse(m) = reverse(m <> 1) 




Y 


1 <> (m <> n) = (1 <> m) <> n 




Y 


1 = m -i- (x <> 1) = (x <> m) 




Y 


len(l <> m) = len(m <> 1) 


Y 


Y 


len(l) = len(reverse(l)) 


Y 


Y 


len(l <> m) = len{l) + len{m) 


Y 


Y 


member(x,l) -¥ member (x,l <> m) 




Y 


member {x, m) -¥ member {x,l <> m) 




Y 


member{x,l)\/ member (x,m) member {x,l <> m) 




Y 


nth{n, nil) — nil 


Y 


Y 


qrevil, nil) = rev{l) 


Y 




qrev{l,m) = rev{l) <> rev(m) 


Y 


Y 


reverse(x :: nil) = x :: nil 


Y 


Y 


reverse(l <> (x :: nil)) = x reverse[l) 




Y 


reverse{l) <> (x nil) = reverse(x :: 1) 




Y 


II 

O 


Y 





Fig. 1. Performance of XClam with ellipsis versus list induction proof strategies on a 
subset of Clam's list theory. Conjectures which are proved are marked with a F in the 
relevant column. For space reasons, we omit quantifiers. In the conjectures above, all 
free variables aie universally quantified (f,m, and n are quantified over list{nat) and x 
is quantified over nat). 



Note that some of the elliptic proofs still use induction over the natural num- 
bers. For example, the proof that len{l <> r) = len{r) + len{l) uses induction 
over natural numbers after the use of ellipsis in order to prove the commutativity 
of addition. 

An interesting failed proof attempt is appreverse: 



\/l,mlist .reverse{l) <> reverse{m) = reverse{m <> 1) 
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The proof attempt stumbles when it is unable to prove: 

□ (n + m, comb{n, (Xi.F{n — i + 1)), (Xi.G{m — id- 1)))) = 

□ (m + n, {Xi.(comb{m, G,F){m + n - i + 1)))) 



Proof of this goal is difficult because to make the two sides of the equality syn- 
tactically equal, we must rewrite the application term {Xi.{comb{m, G, F))) (m-l- 
n — 2 + 1) to a comb term. This involves reasoning about inequcilities to decide 
the values of i which cause the application term to fedl into either the first or 
the second case of the definition of comb (3). 

10 Discussion 

As noted in §7.2, the need for a cleair elliptic presentation of a proof can affect 
the order in which proof steps are carried out. If the set of rewrite rules which is 
applied during the proof is not confluent, then the changes caused by reordering 
the application of rewrite rules in the proof can be significant, £ind can lead 
for example to different lemmas being applied or to failure of the proof. This 
possibility of causing fundamental changes in the proof indicates that proof 
portrayal cannot be relegated to a “pretty-printing” role but must instead be 
considered at the time the conjecture is proved. 

Some functions do not easily lend themselves to representation in the □ 
formulation, for example flatten over arbitrarily nested lists. There may be a 
correspondence between such difiicult examples and recursive definitions which 
are diSicult to understemd. 

11 Related Work 

We briefly mentioned in (§1) that our approach cem be extended by means of the 
higher-order fold function to the representation and manipulation of formulae 
involving ellipsis where the main connective is not list cons. If the function ® 
is associative, then the portrayal in equation (2) can be simplified by removing 
the brackets — /o/d/(®, a, □(n, F)) is portrayed as a (S> F(l) (gi ... ® F{n). 
Such an approach produces a similar formulation to the “Three Dots Language” 
(TDL) presented in [7], in which (following the terminology of [7]) the iteration 
star is essentially a higher-order fold function (compcire the equations (1) 
defining foldl above with the expansion equations in [7, p.231]), and the iteration 
counter “c” represents lambda abstraction. For example, the elliptic formula 
Vx*3d . (xi • ii -H ... + ii • x„ < a()+* • ... • aj+k) is represented in TDL by equation 
(5) below (equation 13 of [7, p.237]) £ind in our formalism by (6). 

Vx*3d.(((xi -Xc) +* c,l..n) < (ae+* •* c,6..d)) 

W^x3d . foldl{XzXw.x{l) ■ z + w,0, □(n, {Xi.x{i)))) < 

foldl{XzXw.z •10,1, D(d — 6 -I- 1, (A i . a{b -f A: — 1 i)))) 



(5) 

( 6 ) 
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Since TDL concentrates on defining a small mathematical language in which 
terms can be reduced to a normal form, it is quite restrictive. Our approach 
allows us to represent and manipulate quite general kinds of elliptic formulae 
(for example subscripts can be nonconsecutive because of the presence of a comb 
operator (which has no equivaJent in TDL)). We have tested our formalism in 
an automated theorem proving system (XClam). 

12 Conclusion 

In this paper we have proposed a mechanism for cillowing ellipsis in automatic 
proofs. The key idea is to use an internal notation in which the ambiguity inher- 
ent in elliptic notation is resolved. This uses a second-order functional □, which 
is similar to H- Ellipsis is recovered from this notation by portray-like 

print routines which hide the internal notation and replace it with ellipsis. 

With this notation many functions which normally require recursive defini- 
tions can be given explicit ones. As a result induction and generalisation can 
be eliminated from many proofs which normally require them. The result is 
proofs which seem closer to ordinary mathematical intuitions, in fact, we might 
describe these as more ‘informal’ proofs. Axiomatisation of lists using □ has a 
similar fiavour to the work described in [2], but the representation and its use 
for proofs using ellipsis that we present are new. 

A heavy burden is transferred to the portray routines. To present intuitively 
satisfying formulae and proofs they must carry out significeint rewriting to treins- 
form the internal representation into a printable form. They must also meike 
subtle decisions about which elements of am elliptic sequence are portrayed and 
which suppressed. It also may be necessary to rearrange the order in which 
rewrite rules are applied. This indicates that in generail we need to consider how 
to present proofs clearly at the time the proof is constructed; we cannot leave it 
to a post-processing step. 
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Abstract. We investigate the computational complexity of counting the 
Hilbert basis of a homogeneous system of linear Diophamtine equations. 

We establish lower and upper bounds on the complexity of this problem 
by showing that counting the Hilbert basis is #P-hard and belongs to the 
class #NP. Moreover, we investigate the complexity of variants obtaiined 
by restricting the number of occurrences of the variables in the system. 

1 Introduction and Summary of Results 

The Hilbert basis of a homogeneous system of linear Diophantine equations over 
the non-negative integers is the set of all non-zero vectors that are minimal so- 
lutions with respect to the pointwise order. This set forms indeed a basis of the 
space of solutions of the system, that is, every solution can be written as a posi- 
tive linear combination of vectors from the Hilbert basis, and no member of the 
Hilbert basis can be expressed as a positive linear combination of other mem- 
bers. Moreover, this basis is essentially unique. The concept of a Hilbert basis 
was studied as early as the second half of the 19th century by Gordan [Gor73] 
and Hilbert [Hil90]. Since that time, it has received considerable attention in 
linear algebra and integer programming (see Schrijver [Sch86]). 

Computing the Hilbert basis of a homogeneous system of linear Diophantine 
equations over non-negative integers has turned out to be one of the key problems 
in automated deduction. Its importance in this area emerged through the work 
of Stickel [Sti75,Sti81], who designed the first algorithm for unification in the 
presence of associative-commutative (AC) function symbols. Stickel showed that 
the minimal complete set of unifiers of a simultcmeous elementary AC-unification 
problem can be obtained from the Hilbert basis of an associated homogeneous 
system of linear Diophantine equations over non-negative integers. Indeed, the 
minimal complete set of AC-unifiers is the set of all compatible subsets of the 
Hilbert basis of that system, where compatible in this context means that every 
variable can be instantiated by a non-zero lineair combination of the members 
of the compatible subset. Other AC-unification algorithms were presented af- 
terwards, including algorithms by Pages [Fag87], Herold and Siekmann [HS87], 

* Research paurtially supported by NSF grants CCR-9610257 and CCR-9732041. 
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Boudet [Bou93], and Boudet, Contejean, and Devie [BCD90]. Although these 
AC-unification algorithms differ from each other in several aspects, they all rely 
on computing the Hilbert bcisis of the associated homogeneous system. 

Following the publication of Stickel’s algorithm [Sti75], researchers became 
interested in algorithms for computing the Hilbert basis. Huet [Hue78] described 
a conceptually simple algorithm for a single equation. Clausen and Fortenbacher 
presented in [CF89] a more sophisticated algorithm for a single equation based 
on automata theory. These papers assume that the computation of the Hilbert 
basis of a system can be reduced to successive computations of the Hilbert ba- 
sis of single equations, interlaced with substitutions of the result into the rest 
of the system. Aggregation is a different method for transforming a system of 
equations into a single equation with the same space of solutions [EE85]. Both 
methods entail am exponential blow-up during the transformation. Severail re- 
searchers, including Contejean and Devie [CD94], Lamkford [Lam89], Domen- 
joud [Dom91a,Dom91b], have also developed direct algorithms for computing 
the Hilbert basis of systems with an arbitrary number of equations. 

Every algorithm for computing the Hilbert basis of a system can also be 
used to count at the same time the number of elements of the Hilbert basis. 
Lankford [Lan89] derived an exponential lower bound on the cardinality of the 
Hilbert basis of a particularly challenging homogeneous Diophantine equation. 
In the present paper, we investigate the problem of counting the Hilbert basis 
of a system from a complexity-theoretic perspective. Our results imply that 
this counting problem is highly intractable and, thus, they shed light on the 
inherent complexity of algorithms for computing the Hilbert basis. According 
to Lankford [Lan89], “a complete description of the complexity of non-negative 
basis algorithms seems to be a difficult open problem” . 

The computational complexity theory of counting problems was developed by 
Valiant [Ved79a,Val79b], who introduced and studied the class #P of functions 
that count the number of accepting paths of nondeterministic polynomial-time 
Turing machines, as well as the larger class #NP of functions that count the 
number of accepting paths of nondeterministic polynomial-time Turing machines 
with access to NP oracles. Valiant [Val79a,Val79b] demonstrated that these 
classes possess natural complete problems under suitable polynomial-time reduc- 
tions. In particular, there is a large variety of #P-complete problems that arise 
in graph theory, logic, algebra, and combinatorics. Furthermore, #P-complete 
problems are encountered in the context of counting the number of minimal 
complete matchers modulo an equational theory, as shown in [HK95a,HK95b]. 
It should be noted that #P-complete and #P-hard problems are considered to 
be highly intractable, since, as established by Toda [Tod89], they dominate in an 
exact technical sense all problems in the polynomial hierarchy PH (the bottom 
level of which is NP). 

We show that the problem of counting the Hilbert basis is #P-hard and is 
a member of the class #NP. These two results provide reasonably tight lower 
and upper bounds on the complexity of counting the Hilbert basis, even though 
they do not decisively pin down its exact complexity. We also analyze variants 
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of this counting problem for restricted systems of homogeneous linear Diophan- 
tine equations; to this effect, we show that if every variable has at most two 
occurrences in the system, then the problem of counting the Hilbert basis is a 
member of the class #P. Finally, we establish that it is a #P-complete problem 
to count the number of compatible subsets of a given set of linearly independent 
and pairwise incomparable vectors. This result quantifies in a precise manner the 
inherent complexity of an important step in most AC-unification algorithms. 

2 Counting Problems and Computational Complexity 

This section contains the definitions of basic concepts, as well as some back- 
ground material on counting problems and computational complexity. We as- 
sume some familiarity with the fundamentals of associative-commutative unifi- 
cation and computational complexity. Additional material on these topics can be 
found in the survey article [JK91] and in the monographs [BN98,Pap94,Sch86]. 

A homogeneous linear Diophantine system over non-negative integers is a 
system of equations 5: Ax = 0, where A = (o^)J is a & x n integer matrix and 
X = (ii, . . . , Xn) is a vector of variables ranging over non-negative integers. We 
say that a solution s of 5 is nontrivial if it is different from the all-zero solution 
(0, . . . , 0). We say that a solution s = (si, . . . , s„) of 5 is smaller than a solution 
s' = (s'j, . . . , ajj), and write s < s', if s ^ s' and, for alH = 1, . . . ,n, it is the 
case that Sj < sj. The relation < is called the pointwise order on solutions. 
A solution s is minimal if it is nontrivial and there is no smaller nontrivial 
solution s", that is, s" < s is false for every nontrivirJ solution s" of S. The i-th 
coordinate s< of a solution s, corresponding to the vEiriable Xi, is alternatively 
denoted by s{xi). 

The Hilbert basis H{S) of the system S is the set of all minimal solutions of S. 
This set is indeed a basis for the space of nontrivial solutions of S, which me£ins 
that no minimal solution cjin be expressed as a positive linear combination of 
the other minimal solutions, whereas every nontrivial solution c^ln be expressed 
as a positive linecir combination of minimal solutions. The Hilbert basis H (S) is 
finite and it is the unique basis of the space of nontrivial solutions of 5. 

It is well known that Hilbert bases can be used to compute minimal com- 
plete sets of AC-unifiers. Indeed, let AX =ac A'X' be a simultaneous elemen- 
tary AC-unification problem, where A and A' eire matrices over non-negative 
integers, X = {Xi, . . . ,Xj) and X' = (Xj+j , . . . , X„) are not necessarily dis- 
junctive vectors of formal variables, and -I- is the unique AC-symbol. With this 
AC-unification problem, associate the homogeneous linear Diophsmtine system 
S: {A—A')x = 0, where the arithmetic variable Xj corresponds to the formal vari- 
able Xi for i = 1, . . . , n. Consider the Hilbert basis H{S) of the system 5 over the 
variables xi, . . . , x„. Let {ai, . . . ,am} be a subset of H{S) and u = (ui, . . .,Vm) 
be a vector of new variables. For each i = 1, . . . ,n, assign the linear expression 
ajui -H • ■ + ct^Vm to the variable X{, where aj is the i-th coordinate of the 
vector ttj. We say that {ai, . . . ,Qm} is a compatible subset of H{S) if, for each 
variable Xi, there exists a vector Oj such that aj / 0, that is, the variable Xi is not 
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assigned the value 0. The minimal complete set of unifiers of the AC-unification 
problem AX =ac A'X' turns out to be the set of all compatible subsets of H{S) 

of the system 5 above, where Xj i-> aiwi H + is the substitution of the 

variable x<, when {oi, . . . , Om} is the chosen compatible subset. 

In this paper, we are mainly concerned with the computational complexity 
of finding the cardinality of the Hilbert basis H{S) of a given homogeneous 
linear Diophantine system S\Ax = 0, that is, counting the number of minimal 
solutions of S. 

Valiant [Val79a,Val79b] was the first to investigate the computational com- 
plexity of counting problems. To this effect, he introduced the class #P of func- 
tions that count the number of accepting paths of nondeterministic polynomial- 
time Turing machines. The prototypical problem in this class is #SAT, which is 
the counting version of Boolean satisfiability. 

#SAT 

Input: Set V of Boolean variables and Boolean formula <j> over V in conjunctive 
normal form. 

Output: The number of truth assignments for the variables in V that satisfy (j>. 

In addition to initiating the study of #P, Valiant [Val79a,Val79b] developed 
a machine-based framework for introducing higher classes of counting problems. 
Specifically, for every complexity class C of decision problems, he defined #C 
to be the union where (#P)'^ is the collection of all functions 

that count the accepting paths of nondeterministic polynomial-time Turing ma- 
chines having A as their oracle. Thus, in this fr^unework, #NP is the class of 
functions that count the number of accepting paths of NP^*’ meichines, that is, 
nondeterministic polynomial-time Turing machines that have access to NP ora- 
cles. More recently, however, researchers have introduced complexity classes of 
counting problems using the framework of witness functions and witness sets. In 
this frcunework, a counting problem is viewed as a witness function w such that 
if X is an input, then w(x) is a set of succinct certificates (witnesses) for x, and 
the goal is to compute the cardinality |«;(x)| of this witness set w{x). Different 
classes of counting problems can then be obtained by considering the computa- 
tional complexity of deciding membership in the witness set. Specifically, if C is a 
complexity class of decision problems, then Hemaspaandra £md Vollmer [HV95] 
define # • C to be the class of all witness functions w that satisfy the following 
conditions; 

(1) There is a polynomial p such that for every x and every y G w(x), we 
have that |j/| < p(|a;|), where |x| is the size of x and |j/| is the size of y, 

(2) The decision problem “given x and y, is y 6 w{x)T' is in C. 

It is easy to verify that #P = # • P, that is, Vediant’s class #P coincides 
with the class of witness functions for which membership in the witness set 
can be tested in polynomial time. For complexity classes C beyond P, however, 
the corresponding classes and # • C may differ, unless unlikely collapses 
of complexity classes occur (see [HV95]); in general, finer-grained complexity 
classes can be obtained using the witness-based framework. For our purposes 
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here, we axe interested in a result from Toda’s Ph.D. thesis [Tod91] that reveals 
a rather surprising connection between the two different approaches. 

Theorem 1 (Toda). #NP = # ■ coNP. 

Thus, the above result asserts that Valiant’s class #NP coincides with the class 
of witness functions for which membership in the witness set is in coNP. A proof 
of this theorem can aJso be found in [HV95]. It is clear that #P is contained 
in #NP. Moreover, #P contains the class FP of counting functions that can be 
computed in deterministic polynomial time. Therefore, we have the inclusions: 
FP C #P C #NP; note that it is not known whether these inclusions are proper. 

As a general principle, what makes a complexity class C interesting is the 
existence of natural complete problems for C, that is, members of C such that 
every problem in C can be reduced to them via a suitable reduction. As regards 
classes of counting problems, these reductions are polynomial-time reductions 
that allow us to efficiently compute the number of solutions of one problem 
from the number of solutions of another. Let v and w be two witness functions 
with domain 77* and S* respectively, where 77 and E axe finite alphabets. The 
counting problem v is polynomial-time Turing reducible to the counting prob- 
lem w if there exists a polynomial-time deterministic Turing machine M that 
computes v by making calls to an oracle for w. Restricted notions of polynomial- 
time Turing reductions between counting problems have also been considered. 
In particular, a polynomial-time 1 -Turing reduction is a polynomial-time Turing 
reduction in which the Turing machine M is allowed to make at most one call 
to the oracle for w [Val79a,TW92]. Parsimonious reductions constitute the most 
restricted notion of reducibility. These axe the special case of polynomial-time 
1-Turing reductions in which v = w o g, lor some polynomial-time computable 
total function g. In other words, the oracle for w is queried once and no compu- 
tation is performed after the answer of the oracle is received. Thus, parsimonious 
reductions preserve the number of solutions between counting problems. 

Let #C be a counting complexity class, such as #P or #NP. A counting prob- 
lem w is i^C-hard if, for each counting problem v in #C, there is a polynomial- 
time Turing reduction from u to m. If, in addition, w is a member of #C, then we 
say that w is complete. If restricted notions of reductions are considered, then 
analogous concepts of hardness and completeness can be defined. For example, 
it is easy to show that #SAT is #P-complete under parsimonious reductions. 

It should be pointed out that #P-hard problems axe considered to be truly 
intractable. As a matter of fact, establishing #P-hardness implies in a precise 
technical sense that the problem at hand is substantially more intractable than 
an NP-complete problem (see [Joh90, page 109]). Valiant’s [Val79a,Val79b] sem- 
inal discovery was that there axe #P-complete counting problems such that, 
unlike SAT, their underlying decision problem is solvable in polynomial time. In 
fact, there axe #P-complete problems having a trivial decision problem. The 
following two counting problems mainifest these phenomena. 

#PERFECT MATCHINGS [Val79b] 

Input: Bipartite graph G with 2n nodes. 
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Output: The number of perfect matchings of G, i.e., sets of n edges such that 
no two edges share a common node. 

#POSITIVE 2SAT [Val79b] 

Input: Set V of Boolean variables and Boolean formula (p over V in conjunctive 
normal form, such that each clause of <f) consists of exzw;tly two positive literals. 
Output: The number of truth assignments for the variables in V that satisfy (/>. 

Since the decision problem for positive 2CNF formulas is trivial, #POSlTlVE 
2sat cannot be #P-complete under parsimonious reductions. Similarly, since 
there is a polynomial-time algorithm that tells whether a perfect matching ex- 
ists, #PERFECT MATCHINGS cannot be #P-complete under parsimonious reduc- 
tions, unless P = NP. It is known, however, that ^perfect matchings is 
#P-complete under polynomial-time 1-TViring reductions (see [Pap94,Zan91]). 

Both #PERFECT MATCHINGS and #POSlTiVE 2SAT will be of use to us in 
establishing lower bounds for the complexity of the counting problems that we 
will study in the sequel. It is now time to formally introduce these problems. 
#HILBERT 

Input: A system of homogeneous linear Diophantine equations 5: Ax = 0 over 
non-negative integers. 

Output: The cardinality of the Hilbert basis H{S) of 5. 

We mentioned earlier that Hilbert bases are used in computing minimal com- 
plete sets of unifiers of elementary AC-unification problems. As an intermediate 
step in this computation, one has to produce the set of all compatible subsets 
of a Hilbert basis H{S) of a homogeneous linear Diophantine system S: Ax = 0 
with n variables, where a set {ai, . . . Um} of n-dimensional vectors is compatible 
if for every i <n there is a j < m such that aj ^ 0. Note also that the members 
of a Hilbert basis are pairwise incomparable in the pointwise order and linearly 
independent with respect to linear combinations with nonnegative coefficients. 
This motivates the following counting problem. 

#COMPATIBLE SUBSETS 

Input: A set T of vectors of non-negative integers that are pairwise incom- 
parable in the pointwise order and lineeurly independent with respect to linear 
combinations with nonnegative coeflBcients. 

Output: The cardin«dity of the set of all compatible subsets of T. 



3 The Complexity of Counting the Hilbert Basis 

In this section, we obtain upper and lower bounds for the computational com- 
plexity of counting the Hilbert basis. Before stating and proving the main results, 
we address the issue of how the inputs axe encoded. 

If the input of a decision problem involves integers, then the complexity of 
that problem may depend on whether these integers are encoded in binary or 
in unairy. For instance, KNAPSACK is NP-complete when the coefficients of the 
input are given in binary, but is solvable in poljrnomial time, when these co- 
efficients are given in unary. In contrast, 3-PARTlTlON remains NP-complete, 
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even if the coefficients of the input are given in unary (see [GJ79]). Note that 
typically the inputs of an AC-unification problem are given in unary, that is, 
each monomial ax is encoded by |a| bits (instead of log|a| bits), because ax 
represents |a| occurrences of the variable x and the inputs axe terms over the 
alphabet of variables and function symbols. Since #HILBERT originates in el- 
ementary AC-unification, it would be natural to assume that the coefficients 
of linear Diophantine systems are written in unary. In linear algebra and in- 
teger programming, however, coefficients of linear systems are usually given in 
binary. As it turns out, however, the complexity of #HILBERT does not depend 
on whether the coefficients are encoded in bin^y or in unary, because there is 
a polynomial-time reduction that reduces ^HILBERT in binary to #HILBERT in 
unary. Specifically, each system S:Ax = 0 can be transformed in polynomial 
time to a system S': A'x' = 0 such that the coefficients of the matrix A' are 0, 
1 or —1, there is a one-to-one mapping from the variables x to the variables x', 
and there is a one-to-one and onto mapping between the Hilbert bases of 5 and 
S'. For every monomial ax with |a| > 2 occurring in the system S:Ax = 0, let 
p = ['log 2 |a|] and let |a| = 5Zf_o«i2* be the binary expansion of the absolute 
value of the coefficient a. Introduce p new variables zq, . . . , Zp-\, and add the 
equations zq = x and Zi = 2zi-.i for each i = l,...,p - 1. Furthermore, intro- 
duce a new variable v and add the equation v = aozo + ■ ■ ■ + apZp. If a > 0, 
then replace the monomial ax by the variable v; otherwise, replace ax by —v. 
By applying this transformation repeatedly, we obteiin a system with coefficients 
from {—2, —1,0, 1,2}. Now, replace each monomial 2x (respectively, —2x) by 
the expression ui -I- V 2 (respectively, —Vi — V 2 ), and add the equation vi = V 2 
for the new variables V\ and V 2 - This completes the tr^lnsformation of 5 to a 
system S' with the desired properties. Moreover, the entire trzmsformation can 
be carried out in polynomial time, since for eeich monomial ax with |a| > 2 we 
add C>(log 2 |a|) new variables and equations, i.e., polynomially many in the size 
of the system 5 in binary. 

Theorem 2. The counting problem #HILBERT is in the class #NP. 

Proof. We first show that #HILBERT belongs to the class # • coNP, and then use 
Theorem 1 to conclude that it is in #NP. 

Suppose we axe given a homogeneous lineair Diophantine system S: Ax = 0, 
where A is a A: x n integer matrix. As the witness set for 5, we talce the set 
of all minimal solutions of S. We have to verify that the size of each minimal 
solution is polynomially bounded in the size of 5, and that testing for mini- 
mality is in coNP. Papadimitriou [PapSl] proved that integer programming 
is in NP by establishing that if a system of Diophantine equations has a non- 
negative integer solution, then it has a “short” nonnegative integer solution. 
Several different reseairchers, including Domenjoud [Dom91a], Lambert [Laim87], 
and Pottier [Pot91] have shown that PapEidimitriou’s [PapSl] argument can 
be adapted to yield the stronger result that every minimal solution is “short” 
(see also [BN98]). Specificadly, if (si, . . . , s„) is an arbitrairy minimal solution of 
S: Ax = 0, then S{ < n(A;a)^*'*'^ holds for all 1 < i < n, where a is the maximum 
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Fig. 1. A bipartite graph with two perfect matchings 

of the coefficients of the matrix A. It follows that the size of every minimal solu- 
tion is at most nlognH-n(2A:-l- l)(loga + logfc), which implies that it is bounded 
by a polynomial in the size of the system S. 

Finally, we have to show that the following decision problem is in coNP: given 
a system S as above and a vector s, is s a minimal solution of S? Since testing 
that s is a solution of 5 can be checked in polynomial time, we may as well assume 
that the given vector s is a solution of S. The complement of the aforementioned 
decision problem is in NP: to show that s is not a minimal solution, simply guess 
a nontrivial solution s' that is smaller than s in the pointwise order. □ 

For the lower bound, we show that #HILBERT is #P-hard. For this, we pro- 
duce a parsimonious reduction from #PERFECT matchings to #HILBERT. 

Let G = (U, V, E) be a bipartite graph with 2n nodes, where \U\ = IFI = n. 
For every edge = (ui,Vj) € E, introduce a variable In addition, introduce 

a variable y. For every node in U, form the equation ij* H f-a:V = y, where 

eY , , e\' is the list of all edges adjacent to Uj. Similmly, for eeich Vj e V, form 

the equation xj^-i f-xj^ = y, where , . . . , is the list of eill edges adjacent 

to the node vj . Let S be the homogeneous linear Diophantine system consisting 
of the above equations for all nodes Ui^U £ind Vj G V. Thus, S consists of 2n 
equations; note that the left hand side of each equation contedns occurrences of 
the variables xj, whereas the right-hand of each equation is ^dways y. Note also 
that each variable occurs exactly twice in the system: once in the equation 
for node Ui and once in the equation for node vj . We illustrate this construction 
with an example. 

Example 1. Let G = ({ui,U 2 ,U 3 },{vi,V 2 ,V 3 },E) be the bipartite graph de- 
picted in Figure 1, having (ui,ui), (u 2 ,V 2 ), (uz.i’s), (us.vz), and (usjVs) as 
edges. Then the system S consists of the following equations in the variables 
xi,x|,x|,xi,x|,y: 

ui: ^i=y Vi: a:J=2/ 

U 2 -. x\-\-xl=y vr- x\-\-x\=y 

U3-. x\ A x% = y V3\x\+xl=y 

The Hilbert basis of the preceding system S is H{S) = {110011, 101101}. 
Note that the bipartite graph G has two perfect matchings and that the Hilbert 




Complexity of Counting the Hilbert Basis of a Linear Dioph 2 intine System 21 



basis H{S) has two vectors. It turns out that this is not accidental. Indeed, in a 
sequence of three lemmas we establish that there exists a one-to-one correspon- 
dence between the perfect matchings of an arbitrary bipartite graph G and the 
minimal solutions of the associated system S. 

The first lemma is proved using the well-known Hall’s theorem. 

Theorem 3 (Hall). Let G = {U,V,E) be a bipartite graph, where \U\ — |F|. 
Then G has a perfect matching if and only if for every subset A C U, we have 
that |i4| < |i?(.A)|, where R{A) = {v £V \ 3u & A, {u,v) 6 E). 

Lemma 1. If a bipartite graph G has no perfect matching, then the only solution 
of S is the trivial all-zero solution y = 0, = 0, where I <i,j <n. 

Proof. If G has no perfect matching, then, by Hall’s theorem, there exists a 
set of nodes A C U such that |i4| > |J?(i4)| holds. Let Ea be the set of edges 
between the nodes of A and of R{A) in the graph G. Let Xa be the vziriables 
corresponding to the edges Ea- By summing up the equations for the nodes 
Ui G A, we obtain the equation ~ Similarly, by summing up 

the equations for the nodes vj G we obtain the relation ^ — 

\R{A)\y, since the edges Ea are a subset of the edges incident to R{A). The 
left-hand sides of these two expressions Jire equal, therefore we can derive the 
relation \A\y < |iZ(A)| j/. Since |A| > |i?(A)| holds, the only solution of the last 
inequation is y = 0. The right-haind side of each equation in S is equal to 0, 
therefore each variable must also be 0. □ 

The proof of the next lemma is quite straightforward. 

Lemma 2. For every perfect matching M in G, there exists a solution of the 
system S such that y = 1, x^ G {0,1}, and x[ = \ if and only if G M. 

Conversely, for every solution of S with y = 1 there exists a perfect matching in 
the bipartite graph G. Moreover, every solution of S with y = 1 is minimal. 

The last lemma implies that all minimal solutions of S must have y = 1. 

Lemma 3. If a solution of S is such that y >2, then it is not minimal. 

Proof. Let (si , . . . , s„, t) be a solution of 5(xi , . . . , a:„, y) such that t>2. Trans- 
form the system 5 to a system 5* by eliminating all variables x< for which s< = 0. 
We obtain the system S*{x*, . . . ,x^,y) with the solution (sj, . . . ,sj^,t), where 
s* > 0 for each t = 1, . . . , m. Note that the system 5* corresponds to a bipeirtite 
graph G* = {U, V, E*) that is a subgraph of G. 

Since t > 0, Lemma 1 implies that there exists a perfect matching in G*. 
From Lemma 2, it follows that there exists a solution (sj, . . . , sj„, 1) of S* such 
that s\ G {0,1}. Clearly, (sj, . . . > (s'i,...,s^,l) in the pointwise order. 
Therefore, also (si, . . . , s„,f) > (a" , . . . ,a", 1) holds, where a" = aj if a^ = a* 
and a" = 0 if a< = 0. Moreover, (a", . . . , a", 1) is a solution of S. Consequently, 
(si , . . . , Sn, t) is not a minimal solution of 5. □ 
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Lemmas 1,2, and 3 show that there is a reduction from #PERFECT MATCH- 
INGS to #HILBERT. Thus, we have just completed the proof of the following 
theorem. 

Theorem 4. The counting problem #HILBERT is #P-hard. 

The preceding Theorems 2 and 4 yield upper and lower bounds for the com- 
plexity of counting the Hilbert basis. We now discuss some of the difficulties 
that arise if one attempts to narrow the gap between #P-hardness and member- 
ship in #NP. An inspection of the proof of Theorem 2 reveals that #HILBERT 
would be in #P, if testing a solution for minimality were solvable in polynomial 
time. Durand, Hermann, and Juban [DHJ99], however, have shown that it is a 
coNP-complete problem to tell whether a given solution of a homogeneous linear 
Diophzmtine system is minimal for a homogeneous linem Diophantine system. 
Thus, assuming P ^ NP, to prove that #hilbert is in #P would require one 
to come up with a very different set of witnesses for #HILBERT and show that 
membership in that witness set is in polynomial time. We believe that this is 
not possible and conjecture that #HILBERT is not in #P. Note that this conjec- 
ture implies that #P ^ #NP, which, in turn, implies that P NP. As regards 
the lower bound, we showed that #PERFECT MATCHINGS has a pairsimonious 
reduction to #hilbert. Since, as mentioned earlier, ^perfect matchings is 
#P-hard under polynomial-time 1-Turing reductions (see [Pap94,Z£m91]), it fol- 
lows that # HILBERT is also #P-hard under polynomiad-time 1-Turing reductions. 
In a breakthrough paper [TW92], however, Toda and Watanabe proved that if a 
counting problem is #P-h£ird under polynomial-time 1-Turing reductions, then 
it is also # C-hard under such reductions for every level C = SiP or C — TTjP, 
i > 1, of the polynomial hierarchy PH (note that, by definition i7iP = NP 
£md ITiP = coNP). In particular, it follows that #HILBERT is #NP-complete 
under polynomial-time 1-Turing reductions. Thus, at first sight it appears that 
the exact complexity of #hilbert has been pinpointed. A moment’s reflection, 
however, reveals that there is something quite unsatisfactory with this conclu- 
sion. Indeed, Toda and Watanabe’s [TW92] result suggests that polynomial- 
time 1-Turing reductions cannot help us differentiate between problems that are 
# ■ C-complete for different levels C of the polynomial hierarchy PH. Moreover, 
Toda and Watanabe’s [TW92] result provides strong evidence that #P, #NP 
and other higher counting complexity classes #-i7<P and # i7<P, i > 1, 2 ure not 
closed under polynomial-time 1-Turing reductions. Consequently, to draw dis- 
tinctions between complete problems for different counting classes, one has to 
consider more restricted reductions under which the classes at h^md are closed. 
Clearly, the counting complexity classes #-i7jP and #-iJjP, i > 1, are closed un- 
der parsimonious reductions. Moreover, for every » > 1 both #-27jP and #-I7<P 
contain natural problems that are complete for them under pMsimonious reduc- 
tions. For instaince. Valiant [V2d79a] considered a counting satisfiability problem 
cadled NSAT, which turns out to be #-NP-complete (#-i7iP-complete) under par- 
simonious reductions. Here, we are interested in the following counting problem 
#J7iSAT, which is a “dual” version of NSAT. 
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#niSAT 

Input: A Boolean formula <f> in disjunctive normal form and a partition of its 
variables into two sets X and Y. 

Output: The number of truth assignments s to the variables in X so that the 
resulting formula <f>{Xls) is a tautology (i.e., for every truth assignment t to the 
variables of Y, the concatenation st satisfies <f>). 

It is clear that #i7iSAT is in # coNP = #NP. Moreover, Durand [Dur99] 
has showed that TIiSAT is #NP-complete under parsimonious reductions. We 
now show that, unless P = NP, no parsimonious reduction firom #77 iSAT to 
#HILBERT exists. 

Proposition 1. If #77iSAT has a parsimonious reduction to #HILBERT, then 
P = NP. Consequently, #HILBERT is not ffHV -complete under parsimonious 
reductions, unless P = NP. 

Proof. Using the hypothesis, we will show that one can decide in polynomial 
time whether a Boolean formula rp in disjunctive normal form is a tautology, 
which implies that coNP = P = NP. Let rphe a. Boolean formula in disjunctive 
normal form with Di , . . . , Dm as disjuncts, and Y = {yi, ■ ■ ■ ,Vn} as variables. 
Let a: be a new variable and let <f> be the formula (Di A i) V • • • V {Dm A x). 
Observe that if is a tautology, then there is exactly one truth assignment to x 
(namely, x = true) such that <f>{x/true) is a tautology. Furthermore, if ‘tp is not a 
tautology, then no truth assignment s to x turns <p{x/s) to a tautology. Let ^ be a 
parsimonious reduction of #f7iSAT to #HILBERT. It follows that ip is a tautology 
if and only if the homogeneous linear Diophantive system g{(p{x, Y)) has at least 
one minimal solution. Clearly, a homogeneous line 2 u: Diophantine system has at 
least one minimal solution if and only if it has a non-trivial solution over the non- 
negative integers. The latter condition, however, can be checked in polynomial 
time, because it is easily reducible to linear programming. Indeed, it is clecir that 
the system S:Az = 0 has a non-trivial solution over the non-negative integers 
if and only if the system Az = 0,zi + ••■ + z„ > i,zi > 0,...,Zn > 0 has a 
solution over the rationale. □ 

Thus, we are left with the intriguing question: are there polynomial-time 
reductions under which #NP is closed and #HILBERT is #NP-complete? To 
appreciate this question, we note that it is not known whether polynomial-time 
reductions exist under which #P is closed and #PERFECT matchings is #P- 
hard. 

4 Restricted Systems of Diophantine Equations 

To understand further the sources of intractability of #hilbert, in this section 
we examine the complexity of counting the Hilbert basis for systems of homo- 
geneous linear Diophantine equations that obey certain structurail restrictions. 
As regairds systems of equations, a natured restriction is to impose bounds on 
the number of occurrences of the variables in the system. In fact, this type of 
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restriction has been studied in the context of elementary AC-matching emd in 
many cases has helped in delineating the boundeiry between tractability cmd in- 
tractability [BKN87,HK95b]. In what follows, we investigate the imp£ict of this 
structural restriction on the complexity of #HILBERT. 

For every positive integer m, let #HiLBERT(m) be the restriction of #hilbert 
to systems of equations, such that for every variable x the sum of the occurrences 
of X in the equations of the system is at most m, where a monomial ax ac- 
counts for |a| occurrences of the variable x. We first observe that #HlLBERT(Tn), 
with m > 3, has a parsimonious reduction to #hilbert(3). As seen earlier, 
each system S:Ax = 0 can be transformed to an essentially equivalent system 
S'-.A'x' — 0, where the coefficients of the integer matrix A' are fi:om {—1,0, 1}. 
Let X be a variable with m > 3 occurrences. Introduce m new v«iriables ui, 
. . . , Um- Replace the i-th occurrence of the variable x by Uj and obtain a new 
system 5" by adding the equations ui = 1 x 2 , «2 = 1 x 3 , ■ • • , = ui- It is clear 

that each variable in 5" has at most three occurrences and that the coefficients 
of the system are firom {—1,0, 1}. It is also clear that there is a one-to-one and 
onto correspondence between the solutions of the systems S and S". Further- 
more, only a polynomial number of new equations is added. Thus, there exists 
a parsimonious reduction from the general problem #hilbert to the restricted 
problem #hilbert(3). 

In view of the above, we focus our attention on the computational complexity 
of #hilbert(1) and #hilbert(2). Lincoln and Christian [LC89] pointed out 
that the Hilbert basis of a homogeneous linear Diophantine equation of the 
form xi +•••-(- X* = j/i + • • • + j/n consists of kn solutions. Specifically, it 
consists of all vectors satisfying the condition that there exist two indices i 
and j such that Xj = 1, xj = 0 for all / ^ i, and yj = 1, y„, = 0 for all m ^ j. 
Since there £ire k independent choices for i, and n independent choices for j, 
we have a total of kn minimal solutions. Suppose now we are given a system of 
homogeneous linear Diophantine equations in which each variable occurs exactly 
once. Thus, each variable occurs in exactly one equation and every equation 
of the system is of the form xi + • • • -f- x* = j/i + • • ■ + j/n- Note that each 
minimal solution of a single equation can be extended to exactly one minimal 
solution of the system by setting the variables of adl other equations to zero. 
Conversely, it is easy to see that each minimed solution of the system consists of 
a minimal solution of a single equation and a zero-assignment to the variables 
of all other equations. Consequently, the cairdinality of the Hilbert basis of such 
a system can be computed in polynomial time by first finding the number of 
minimal solutions for each equation separately, and then add these numbers. 
This argument shows that the counting problem #hilbert(1) is in the class FP 
of functions computable in deterministic polynomial time. 

It remains to consider the computational complexity of #hilbert(2), that 
is, counting the Hilbert basis of systems of homogeneous linear Diophantine 
equations in which each variable has at most two occurrences. Our main result 
in this section is that #hilbert(2) is in the class #P and, thus, appe£irs to have 
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lower complexity than #hilbert( 3). The proof of this theorem is based on the 
following two lemmas. 

Lemma 4. Let S be a homogeneous linear Diophantine system over non-ne- 
gative integers such that each variable has at most two occurrences. Then there 
exists a homogeneous linear Diophantine system S' , called the reduced form of S, 
that is equivalent to S and has the following properties: 

— Each variable has at most two occurrences; 

— Each equation is of type xi + X2 = X3 (type A) or of type Xi = X2 (type B); 

— Each variable having exactly two occurrences appears in two distinct equa- 
tions, once in an equation of type A and once in an equation of type B. 

Proof. (Hint) Let S:Ax = 0 be a homogeneous linear Diophantine system with 
at most two occurrences of each variable. Eliminate from S all variables that 
can only taJce 0 as value, e.g., the equation 2 xi + X3 + 2xs = 0 forces xi = X3 = 
X5 = 0. Eliminate all trivial equations 0 = 0. Move the variables with negative 
coefficients to the right-hand side of the equations. Replace each monomial of the 
form 2x by xj +X2, where x\ and X2 are new variables, and add the equation xi = 
X2- Now, every variable occurs with coefficient 1. After these transformations, 
each equation has the form ax = a'x, where a, a' Eire vectors over {0,1}. 
Split each equation of the form ax = a'x into ax = x', a'x = x", and x' = x", 

where x', x" are new variables. Split each equation of the form xi -I-X 2 -) l-x„ = 

x„+i, where n > 2, into the three equations xi -I- x'j = Xn+i> X 2 + ■ ■ ■ x„ = x'{, 
and x'l = x'(. Repeat this last step until there are no more equations with more 
than two variables on the left-hand sides. Fineilly, if there Eire two equations of 
the type xi = X 2 and X 2 = X 3 , then contract these equations to a single equation 
xi = X 3 and delete the variable X 2 . □ 

We saw earlier that the size of every minimEd solution of Ein arbitrEury ho- 
mogeneous linear Diophantine equations is bounded by a polynomiEd in the size 
of the system. The second lemma shows that this bound can be dramatically 
improved, if every vEiriable has at most two occurrences in the system. 

Lemma 5. Let S be a homogeneous linear Diophantine system over non-nega- 
tive integers such that every variable has at most two occurrences. Then every 
minimal solution (si, . . . ,s„) of S has the property that the value of each coeffi- 
cient Si is at most 2. 

Proof. (Hint) The main idea of the proof is to trsmsform the system 5 and a given 
solution s into a graph having the following property: each cycle in the graph 
represents a new solution s' such that s' is either the trivial all-zero solution or 
it is a solution that is pointwise smaller thEm or equal to the original solution s. 
After this, using properties of the graph, it can be shown that each variable with 
vEdue 3 CEin be decremented by 1 or 2, Emd the result is still a solution of the 
original system. This is established via an EmEdysis of 16 cases, the details of which 
can be found at http : //www . loria . f r/ ~ juban/ IGcases . ps . gz. It follows that 
in every minimal solution eanh variable must have value at most 2 [Jub98]. □ 
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Theorem 5. The counting problem #HILBERt(2) is in the class #P. 

Proof. In order to establish that the problem #HILBERT(2) belongs to #P, we 
need to show that the following conditions hold for systems S of homogeneous 
linear Diophantine equations in reduced form (we use here Lemma 4): (1) the 
size of every minimal solution of 5 is bounded by a fixed polynomied in the size 
of 5; (2) there is a polynomial-time algorithm to test whether, given a vector s 
and a system 5 in reduced form, s is a minimal solution of S. The first condition 
clearly holds (for instance, by Lemma 5). Thus, it remains to show that we can 
verify in polynomial time that a vector s is a minimal solution of a system S. 
It is straightforward to verify in polynomial time that the vector s is a solution 
of S and that it satisfies the bounds stated in Lemma 5. To verify minimality, we 
give a polynomial-time reduction to the problem of finding an alternating circuit 
or am augmenting path in a graph, a problem that is well known to be solvable 
in polynomial time. Before proceeding with the rest of the proof, we define the 
necessary graph-theoretic concepts. 

Let G = {V, E) be a graph. A matching of G is a set M C £ of edges, such 
that no pair of edges in M share a common vertex. A vertex u 6 V is called 
matched by a matching M if there is an edge e £ M adjacent to v. Otherwise, the 
vertex v is called exposed or free for M. An alternating path p for a matching M 
is a simple path in G (without repeated vertices), joining two distinct vertices, 
such that edges firom M alternate in p with edges from E\M. Similarly, an 
alternating circuit c for M is a simple circuit in G (without repeated vertices 
except the first and the last one), that alternates edges from M and from E\M. 
An alternating path for a matching M that joins two exposed vertices is called 
am augmenting path. 

Given a homogeneous Unear Diophantine system S over non-negative integers 
with each variable occurring at most twice and a solution s, we will construct a 
graph G = (V, E) and a matching MCE having the property that the solution s 
is not minimail if and only if there exists an ailternating circuit or an augmenting 
path for M not including all vertices V. 

In the first stage, we eliminate from 5 each variable that takes the value 0 in 
the solution s, amd we construct a system S' in the reduced form (cf. Lemma 4) 
equivalent to the original system 5. For eeich solution s of 5, there exists a 
solution s' of S' such that s is minimal for S if and only if s' is minimal for S'. 
The system S' has the property that each variable occurs at most twice, once in 
a type A equation and once in a type B equation. Moreover, the solution s' has 
the property that the constraint 1 < sj < 2 holds for each of its coefficients. 

We will restrict further the system S', so that each variable with one occur- 
rence appears in a type A equation. We will see later, during the transformation 
of the system S' to the graph G, why this restriction is necessary. Before per- 
forming this restriction, let us analyze the possible situations for a variable with 
one occurrence. Assume first, that a variable x with one occurrence appears in 
a type B equation x = x'. We perform a case analysis on the number of occur- 
rences of x'. If the variable x' has one occurrence and the system S' contains 
also other equations, then the solution s' is not minimal, since a vector s*, where 
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we set s*(x) = x*(x') = 0 and s*(y) = s'(y) for the variables y different from 
both X and x', is a smaller solution of S' than s'. If the variable x' has one 
occurrence and a; = x' is the unique equation in the system S', then s' is min- 
imal if and only if s'(x) = s'(x') = 1. Otherwise, if s'(x) = s'(x') = 2, then 
the solution s' is obviously not minimal. If the variable x' has two occurrences, 
then we CEin delete the equation x = x' from the system S' . This can be done, 
since the value of the variable x is fully determined by the value of x' and the 
variable x' is determined by the remaining system 5 \ {x = x'}. In the last case, 
the systems S' and S' \{x = x'} have the same number of solutions. Hence, we 
get a new system S" = 5' \ {x = x'} and a new solution s", restricted to the 
variables of S", such that s is a minimal solution of the system S if and only 
if s" is a minimal solution of the system S". 

We construct a graph G = (V, E) and a matching M form the system S", 
such that s is a minimal solution of S if and only if there is no augmenting 
path and no alternating circuit in G. The vertices V are constructed from the 
solution s" — (s'/, . . . , s"). For each coefficient Sj = 1 we add the vertex Vi to F . 
Similarly, for each coefficient Sj = 2 we add the vertices vj and vf to T. The 
edges E correspond to the equations of the system S". The set of edges E is 
the union Ea U Eb of two disjoint sets, corresponding respectively to the type A 
and the type B equations. For each type A equation Xj + x* = xj we add the 
four edges (xj,xj), (xi,Xj), (xk,xj), (xk,Xj) to Ea- For each type B equation 
Xi = Xj, such that Sj = Sj = 1, we add the edge {vi,vj) to Eb- For each type B 
equation, such that s,- = sj = 2, we add the two edges (vl,Vj), (vf,Vj) to Eb- 
Note that the degree of each vertex u € F is at most 3 and that the set of 
edges Eb is a matching M of the graph G. Indeed, each vertex is incident to 
at most one edge from Eb , since each variable occurs at most once in a type B 
equation. 

An augmenting path p in the graph G for a matching M has the property 
that the vertices on the extremities of p are exposed. We will show that each 
augmenting path in G for a matching M allows us to construct a new solu- 
tion s* smaller than s. In fact, the augmenting path p corresponds to a traversal 
of equations, alternating type A and type B equations. Moreover, the vertices 
on the extremities of p correspond to variables with one occurrence. Thus, we 
can construct a new solution s* from s by decrementing by 1 every variable 
corresponding to a vertex in the path p. The variables x, with value Sj = 2 are 
represented by two vertices v- and vf, hence they can be decremented twice. An 
alternating circuit c of even length in the graph G for a matching M alternates 
edges from M with edges from E \ M. Similarly, as for augmenting paths, each 
alternating circuit of even length in G for a matching M allows us to construct 
a new solution s* smaller than s. Once more, we decrement by 1 every variable 
corresponding to a vertex in the circuit c. 

Note that the fact of having deleted the type A equations x = y when one of 
the variables occurs only once, allows us to find a 1-to-l correspondence between 
a new smaller solution of the system and the existence of an augmenting path 
nr an alternatinff circuit in the corresDondine eraoh. If we did not delete these 
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equations, we would have alternating paths that are neither augmenting paths 
nor alternating circuits not corresponding to any solution of the system. 

After the construction of the graph G with the matching M, we make cor- 
respond to each solution s*, such that s* < s" , an augmenting path or an 
alternating circuit of even length. Indeed, if r< = s" — s* for each i = 1, . . . ,n, 
then there exists an augmenting path or an alternating circuit containing the 
vertices corresponding to the non-zero coefficients n ^ 0. If = 2 then both 
vertices v- and vf are in the path or circuit. Otherwise, either u, is present, when 
Sj = 1, or one of the vertices v} , vf is present, when Sj = 2. We know that finding 
an augmenting path or an alternating circuit in a graph G for a matching M is 
a polynomial-time problem. Therefore we can detect the existence of a smaller 
solution s* < s in polynomial time. The only drawback is that s* can be the 
trivial all-zero solution, when the found augmenting path or alternating circuit 
contains all vertices of the graph G. We must avoid this situation by deleting 
some edges from E, constructing a new graph G'. We cannot delete a vertex 
and all its 3idjacent edges, since then another vertex, that was matched before, 
can become exposed. Instead, to assure that a vertex v is not included into an 
augmenting path or an alternating circuit, it is sufficient to delete all edges from 
E\M that are adjacent to v. In this case, since no edge from the matching M 
is deleted, the augmenting paths and the alternating circuits of the graph G' 
are those also in the original graph G. Moreover, it is sufficient to choose only 
matched vertices v for deleting the adjacent edges from E\M, since each ex- 
posed vertex is connected by an edge from E\M to a, matched vertex. This is 
a direct consequence of alternating edges from Ea, and Eb. 

Let u be a matched vertex in the graph G with the matching M. Construct the 
graph Gy from G by deleting the edges from E\M adjacent to v. If there exists an 
augmenting path or zm alternating circuit in for M, then the solution s of the 
system 5 is not minimal. Since there are only polynomially m^my possibilities 
to choose a matched vertex in the graph G aind ein augmenting path or an 
alternating circuit can be found in polynomial time with respect to the size of 
the graph, we can check in polynomial time whether a vector s is a minimad 
solution of a homogeneous linear Diophantine system S in which every variable 
has at most two occurrences. This completes the proof of the theorem. □ 

It is an interesting open problem to determine whether this upper bound 
is tight or it can be lowered even further. We conjecture that #hilbert(2) is 
actually a #P-complete problem. 



5 The Complexity of Counting the Compatible Subsets 

Stickel’s algorithm [Sti75] for simultaneous elementary AC-unification proceeds 
by first finding the Hilbert basis of the associated homogeneous linear Diophan- 
tine system, and then producing the set of eill compatible subsets of that basis. 
To gain insight into the inherent complexity of this algorithm, we examine the 
computationail complexity of counting the number of compatible subsets of a 
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given set T of linearly independent and pairwise incomparable vectors of non- 
negative integers. We identify the complexity of this problem by showing that 
^COMPATIBLE SUBSETS is #P-complete and, thus, highly intractable. Before 
embcirking on the proof of this result, we remind the reader that, when we speadc 
about linear combinations, we always restrict ourselves to linear combinations 
with non-negative coefficients. By the same token, when we speak about linearly 
independent vectors, we mean independence with respect to linear combinations 
with nonnegative coefficients. 

Theorem 6. The counting problem #COMPATIBLE SUBSETS is #P-complete. 

Proof. Since membership in ffP is quite obvious, we focus on the #P-hardness 
of this problem. This will be achieved by showing that ^positive 2sat has 
a polynomial-time 1-Turing reduction to #compatible subsets. Let X = 
{xi, . . . , Xfc} be the set of variables and let C7 = {ci, . . . c^} be the set of clauses 
of a positive 2CNF formula (p. Consider the fc x m matrix A = (aj)^ such that 
aj = 1, if the variable Xj appears in the clause cj, and aj = 0, otherwise. Without 
loss of generality, we can assume that no two rows of the matrix A are equal. 
Indeed, assume that x and y are two variables such that the corresponding rows 
of A are equal. If each of the variables x and y has at least two occurrences 
in (p, say in the clauses Cj and cj, then we must have a = Cj = xV y, which is 
impossible, since C consists of different clauses. If each of the variables x and y 
has only one occurrence in p, say in the clause c, then we can delete the clause c 
from the set C and consider instead the positive 2CNF formula rp with clauses 
C \ {c}. Note that the number of satisfying eissignments of p is equad to three 
times the number of satisfying assignments of ip. The reason for this is that the 
variables x and y do not occur in ip, whereas the clause c = xV y has three 
satisfying assignments. 

Our goal is to transform A into another matrix A* such that the rows of A* 
form an instance of #COMPATiBLE SUBSETS. For this, we augment the matrix A 
with an additional column vector 0 = (0i,...,0k) such that each 0i is equal 
to one plus the number of zeros in the i-th row of ^4. We claim that the result- 
ing matrix A* has the property that all rows are pairwise incomparable in the 
pointwise order and that no row can be written as a linear combination with 
non-negative coefficients of the remaining rows. 

Since no two rows of A are equal, it follows that the same property holds 
for the rows of A*. Suppose that A* has two comparable rows aj < o^. Then 
the relation Oj < aj must hold for the corresponding rows at and aj of A. 
Consequently, the number of the zero entries of row Oj must be bigger than the 
number of the zero entries of row Oj. In turn, this implies that 0i > 0j, which 
contradicts the inequality oj < a^. Suppose now that A* has a row that is 
a linear combination with non-negative coefficients of the remaining rows. This 
implies that the corresponding row Oi of ^4 is a nonnegative linear combination 
of the remaining rows in A. It follows that there exists a row Oj of A for some 
j ^ i that occurs with a positive coefficient in the linear combination producing 
row Cj. Consequently, the inequality aj < Oj must hold. As before, this implies 
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Counting Problem 


Lower Bound 


Upper Bound 


#HILBERT 


#P-hard 


#NP 


#hilbert(3) 


#P-hard 


#NP 


#hilbert(2) 


??? 


#P 


#hilbert(1) 


— 


FP 



Table 1. The complexity of counting the Hilbert basis 



that hence the rows a] and a* of A* must be incomparable. This, 

however, contradicts the assumption that o* is a nonnegative linear combination 
in which at occurs with a positive coefficient. 

We now claim that there is a one-to-one correspondence between satisfying 
truth assignments of the given 2CNF formula and compatible subsets of the set of 
rows of j 4*. A truth assignment to the variables of tp can be identified with the set 
of variables that are assigned value true. Consequently, such a truth assignment 
can be identified with the subset of the rows of A* whose corresponding variables 
are assigned value true. A truth assignment satisfies the positive 2CNF formula ip 
if and only if for each clause c, there exists at least one variable xj in c< such 
that Xj is assigned value true. This means that the set of rows identified with 
the truth assignment is a compatible subset of the set of all rows of A* (note 
that the last row of A* consists entirely of positive entries). Vice versa, every 
compatible subset of A* gives rise to exactly one satisfying assignment of ip. 
Thus, we have produced a polynomi«J-time 1-Turing reduction of #P0SITIVE 
2SAT to #COMPATIBLE SUBSETS. □ 



6 Concluding Remarks 

In this paper, we initiated a study of the computationad complexity of count- 
ing the Hilbert basis of a homogeneous system of linear Diophamtine equations. 
We established that #hilbert is in #NP amd also that it is #P-hard under 
polynomial-time 1-Turing reductions. Admittedly, these results yield only upper 
and lower bounds on the complexity of this problem. Nonetheless, they appear 
to be the first results on the complexity of counting the Hilbert baisis. Further- 
more, we argued that, in view of Toda amd Watamabe’s work [TW92], it appears 
unlikely that the bounds obtauned here can be maide tighter without significamt 
advamces in computationail complexity. 

We also exaunined restricted variamts of #hilbert obtained by taking into 
account the number of occurrences of the variables in the system. In particular, 
we showed that if each variable has at most two occurrences, then the problem of 
counting the Hilbert basis is a member of the class #P (see also Table 1). Finally, 
we established that it is a #P-complete problem to count the number of com- 
patible subsets of a given set of padrwise incomparable smd linearly independent 
set of vectors. 
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Abstract In this paper we describe new loced search edgorithms for reg- 
ular CNF formulas and investigate their suitability for solving problems 
from the dommns of graph coloring and sports scheduling. First, we de- 
fine suitable encodings for such problems in the logic of regular CNF for- 
mulas. Second, we describe Regular-GSAT and Regular-WSAT, as well 
as some variants, which are a natural generalization of two prominent 
local search algorithms -GSAT and WSAT- used to solve the proposi- 
tional satisfiability (SAT) problem in classical logic. Third, we report on 
experimented results that demonstrate that encoding graph coloring and 
sports scheduling problems as instamces of the SAT problem in regular 
CNF formulas and then solving these instances with local search algo- 
rithms can outperform or compete with state-of-the-art approciches to 
solving hard combinatorial problems. 



1 Introduction 

In recent years, regular CNF formulas (defined in Section 2) have received in- 
creasing interest in the community working on automated theorem proving in 
multiple-valued logics. This interest is due to the fact that an instance of the 
propositional satisfiability (SAT) problem in any finitely-valued logic is polyno- 
mially reducible to an instance of the SAT problem in regular CNF formulas [7]. 
Moreover, the computational properties of such formulas have been studied and 
efficient algorithms for solving the regular SAT problem have been designed and 
implemented. See [1,2,3,5,8,9,12,13] for further details. 

Motivated by the success of propositional satisfiability algorithms for solving 
read-world problems encoded as instances of the classical SAT problem (e.g. 
[4,11]), we will investigate the suitability of local search algorithms for solving 
graph coloring and sports scheduling problems encoded as instances of the SAT 
problem in regular CNF formulas. The algorithms we will use to conduct our 
experiments are Regulau:-GSAT and Regular-WSAT, as well as some variants, 

* Research partially supported by the project CICYT TIC96-1038-C04-03. The first 
author is supported by a doctoral fellowship of the Comissionat per a Universitats i 
Recerca (1998FI00326). 
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which axe a natural generalization of two prominent local search algorithms 
-GSAT [17] and WSAT [16]- used to solve the SAT problem in classical logic. 

We believe that encoding combinatorial problems as instances of the regulau: 
SAT problem, instead of the classical SAT problem, is a promising approach due 
to several reasons: 

- Classical CNF formulas are a subclass of regulm CNF formulas. As the lat- 
ter are a more expressive representation formedism, some problems encoded 
as regular SAT instances give raise to more compact encodings. There are 
combinatorial problems encoded as classical SAT instances that cannot be 
practically solved because the CNF formulas obtained are too large. It is ex- 
pected that regular CNF formulas will extend the range and size of problems 
that can be solved using SAT encodings. 

- Problems encoded as regular SAT instances usually need a smaller number 
of propositional variables. For instance, an encoding of the A-colorability 
problem for an undirected graph with V vertices as a regular SAT instance 
only needs V propositional variables. It is expected that this could have 
positive effects in the search for a solution. 

- Algorithms and heuristics for classical CNF formulas can be generalized to 
regular CNF formulas naturally. The good properties of the classical algo- 
rithms remain in regular algorithms [2]. This can be observed in the al- 
gorithms Regular-CSAT and Regular-WSAT described in Section 4. This 
implies that for designing new algorithms for regular CNF formulas we do 
not have to start from scratch, we can take advantage of the techniques that 
have proven to be successful in the classical setting. 

In this paper we report on the first experimental investigation conducted 
for showing that regulm local search algorithms used to solve real-world 
problems encoded as regular SAT instances can outperform or compete with 
state-of-the-^u■t approaches to solving hard combinatorial problems. This claim 
is confirmed by the experimental results reported here from the domains of graph 
coloring and sports scheduling. We expect to find a similar behaviour in other 
problem domains. 

This paper is org 2 mized as follows. In Section 2 we define the logic of reg- 
ulm CNF formulas. In Section 3 we define how to encode graph coloring and 
sports scheduling problems as regular SAT instances. In Section 4 we describe 
Regular-CSAT and Regular-WSAT. In Section 5 we report on our experimental 
investigation. We finish the paper with some concluding remarks. 

2 Regular CNF formulas 

Definition 1. A truth value set N is a finite set {ii,i 2 ,. • . ,*n}, where n € N. 
Any subset S of N is a sign. 

Definition 2. Let denote the set {j € Njj > i} and let 4.i denote the set 
0’ G N jy < i}, where < is a total order on the truth value set N and i G N. If 
a sign S is equal to either ti or \.i, for some i, then it is a regular sign. 
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Definition 3. Let S be a regular sign and let p be a propositional variable. An 
expression of the form S :p is a regular literal and S is its sign. The complement 
of the regular literal L — S :p, denoted by L = S :p, is {N \ S) : p. A regular 
clause is a finite set of regular literals. A regular CNF formula is a finite set of 
regular clauses. The length of a regular CNF formula T is the total number of 
occurrences of regular literals in F. 

Definition 4. An interpretation is a mapping that assigns to every proposi- 
tional variable an element of the truth value set. An interpretation I satisfies 
a regular literal S :p iff I(p) 6 S. An interpretation satisfies a regular clause 
iff it satisfies at least one of its regular literals. A regular CNF formula F is 
satisfiable iff there exists at least one interpretation that satisfies all the regular 
clauses in F. A regular CNF formula that is not satisfiable is unsatisfiable. The 
regular empty clause is always unsatisfiable and the regular empty CNF formula 
is always satisfiable. 



3 Encodings using regular CNF formulas 

In this section we present the encodings used to formalize the fc-colorability 
problem of graphs and the round robin problem of sports scheduling as instances 
of the regular SAT problem. 

3.1 The fc-colorability problem of graphs 

In the A:-colorability problem we are given an undirected graph G = (F, E) , where 
V is the set of vertices and E is the set of edges, and we are asked whether there 
is a function c : V — ^ such that for each edge [it,u] € E we have 

c{u) ^ c{v). Given such a graph we construct an instance of the regular SAT 
problem as follows: for each edge [u,u] € E, we define k regulair clauses: 



(Cl) 


{f2: 


u,t2 


:u} 




(C2) 


Ul: 


u,t3 


: u,4-l : v,t3 : u} 




(Ci) 


{Hi- 


-1): 


w,t(* + l) ;u,4.(i- 


• 1) : u,t(i + 1) : n} 


(Ck-i) 


{Hk 


-2): 


: w,4.(k — 2) : 


v,-fk : u} 


{Ck) 


{Hk 


-1): 


u,4.(A:-l) :v} 





and we take as truth value set N = ,k}. The intended meaning of the 

previous regular clauses is that vertex u and vertex v do not have the same 
color. For each i e {1, . . . , fc), the intended meaning of regular clause Ci is that 
vertex u and vertex v are not both colored with color i. Observe that from the 
definition of interpretation we can ensure that every vertex is colored with only 
one color. Also observe that the length of the regular CNF formula obtained is 
in d(|A| • |jF|), where |AT| is the number of colors and |£| is the number of edges. 
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3.2 The round robin problem 

In this section we first introduce the round robin problem and then its formal- 
ization using the logic of regular CNF formulas. In the below description of the 
round robin problem we follow the presentation of [6]. 

In sports scheduling problems one of the issues is timetabling, where by 
timetabling we mean determining the existence of a fesisible schedule that takes 
into consideration constraints on how the competing teams can be paired, as 
well as how each team’s games are distributed in the entire schedule. The round 
robin problem for n teams (n-team round robin problem) is formally defined as 
follows: 

1. There are n teams (n even) and every two tecims play each other exactly 
once. 

2. The season lasts n - 1 weeks. 

3. Every team plays one game in each week of the season. 

4. There are n/2 periods and, each week, every period is scheduled for one 
game. 

5. No team plays more than twice in the same period over the course of the 
season. 

Table 1 shows a solution that we have obtained in our experiments for the 
10-team round robin problem; teams are named 1, . . . ,10. An n-team roimd 
robin timetable contains n(n - l)/2 slots and each slot is filled in with a game. 
A game is represented by a pair of teams (< 1 ,^ 2 ) such that ti <n and ti < < 2 - 





Week 1 


Week 2 


Week 3 


Week 4 


Week 5 


Week 6 


Week 7 


Week 8 


Week 9 


Period 1 


(6,9) 


(4.6) 


(1,8) 


(4.10) 


(2.8) 


(7,9) 


(5,7) 


(1,2) 


(3,5) 


Period 2 


(2.3) 


(1.5) 


(2.4) 


(1,7) 


(9,10) 


(8, 10) 


(3,6) 




(6,8) 


Period 3 


(5,10) 


(2,7) 


(3,9) 


(5,9) 


(1,3) 


(1,6) 


(4,8) 


(6,10) 


(4.7) 


Period 4 


(1.4) 


(8,9) 


(5.6) 


(3,8) 


(6,7) 


(2,5) 


(1.10) 


(3,7) 


(2.10) 


Period 5 


(7,8) 


(3, 10) 


(7,10) 


(2,6) 


(4,5) 


(3,4) 


(2,9) 


(5,8) 


(1,9) 



Tablet. A 10-team round robin timetable 



The n-team round robin problem is encoded as an instance of the regular 
SAT problem as follows: 

1. The truth value set is {1,2, .. . ,n}. Each truth value represents a team. 

2. The set of propositional variables is 



{Pij 1 1 < »• < 2, 1 < i < n/2, 1 < j < n - 1} 
and its cardinality is n(n — 1). 

Each slot in the timetable is represented by a pair of vairiables. The pair 
refers to the slot corresponding to period i ^md week j. Since the 
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total number of slots is n{n — l)/2, we use n(n — 1) variables. Given a 
satisfying interpretation I, the intended meaning of {p\j,Pij) is that team 
I{Pij) will play against team I(Pij) in period i emd week j. 

3. For each slot (p}j,Pij), we define the regular clause 

{i(n- 1) } 

in order to ensure that /(pjj) < n. 

4. For each team t and for each slot (j>ij,pjj), we define the regular clause 

{4, (t - 1) : p\j , t (f + 1) : pjj , t (< + 1) : P^ij } 

in order to ensure that I(Pij) < We assume in all the steps that regular 

literals either of the form 4. 0 : p or of the form t + 1) ’■ P appeming in a 
regular clause are removed. 

5. For each two different slots and (PijjjiPijja)’ 

sible game (ti,t 2 ), we define the regular clause 

{ i (ti - 1) : p\^j ^ , t (<i + 1) : Pi,j , , 4- (<2 - 1) : pIj, , t (^2 + 1) : P^j , , 

4. (ti - 1) : pIj^ , t (ii + 1) : pIj^ , 4- (<2 - 1) : P^j ^ , t (*2 + 1) : } 

in order to ensure that every two teams play each other exactly once. Since 
the total number of slots coincides with the total number of possible games, 
the above regular clauses not only ensure that each possible game appears 
at most in one slot, but exeictly once. 

6. For each team t and for each two different variables p^^j and pf*^- such that 
*1 7 ^ * 2 ) we define the regular clause 

{lit - 1) : p'lj,t{t + 1) : pZjAit - 1) : p:ij,^{t + 1) : p^l^} 
in order to ensure that every team plays one game in each week of the season. 

7. For each team t, for each period i, and for each three different weeks ji, j 2 
and j 3 , we define the regular clauses 

AAA {Ut-l):p:iMt + l):p^l, 

l<r,<2 l<r,<2 l<r,<2 4,(f - 1) : | (t + 1) : p^% , 

4-(f-l):p;)3,t(« + l):p^?3 } 

in order to ensure that no team plays more than twice in the same period 
over the course of the season. 

The length of the regular CNF formula obtained for the n-team round robin 
problem is in 0{n^). If we use additional vmiables, we can reduce the length of 
the regular CNF formula derived. We solved the n-team round robin problem 
using additional variables, but the running times obtained were worse. 
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4 Regular local search algorithms 

In this section we describe a number of regular local search algorithms that we 
have designed and implemented in C++ in order to conduct our experimental 
investigation. First, we describe Regular-GSAT and Regular-WSAT, which are 
a naturjd generalization of GSAT [17] and WSAT [16] (also ceilled walksat) to 
the framework of regular CNF formulas. We then describe Regular-WSAT/G, 
which is a generalization of WSAT/G [14] (a variant of WSAT often used in 
the literature). Finally, we describe the averaging strategy of [15] that we have 
extended to the regular setting and incorporated into the previous algorithms. 
Each algorithm differs from the others in the strategy employed to escape from 
local minima. 

Regular-GSAT, whose pseudo-code is shown in Figure 1, tries to find a sat- 
isfying interpretation for a regular CNF formula F performing a greedy local 
search through the space of possible interpretations. It starts with a randomly 
generated interpretation /. If I does not satisfy F, it creates a set S formed by 
the variable- value pairs (p. A:) that, when the truth value that assigns / to p is 
changed to k, give the largest decrease (it may be zero or negative) in the total 
number of unsatisfied clauses of F. Then, it randomly chooses a propositional 
variable p' that appears in S. Once p' is selected, it randomly chooses a truth 
value k' from those that appear in variable- value pairs of 5 that contedn p'. Next, 
it changes the assignment of the propositional variable p' to the truth value k'. 
Such changes are repeated until either a satisfying interpretation is found or a 
pre-set maximum number of changes (MaxChanges) is reached. This process is 
repeated as needed, up to a maximum of MEOcTries times. 

The pseudo-code of Regular-WSAT is shown in Figure 2. The way of making 
changes in Regular-WSAT and Regular-GSAT is different. Regular-WSAT pro- 
ceeds as follows: (i) it rcindomly chooses an unsatisfied clause C, (ii) it chooses 
-using function select- WSAT - a variable- value p^lir {p',k') from the set S of 
pairs (p. A:) such that C is satisfied by the current interpretation I if the truth 
value that I assigns to p is changed to A:, and (iii) it creates a new interpretation 
F that is identical to I except that /'(p') = k' . Function select-WSAT calculates, 
for each pair (p. A:) in S, the number of broken clauses; i.e. the number of clauses 
that are satisfied by I but that would become unsatisfied if the assignment of p 
is changed to k. If the minimum number of broken clauses found (u) is greater 
than zero then either it randomly chooses, with probability w, a pair (p', k') from 

5 or it randomly chooses, with probability 1 — w, a pair (p', k') from those pairs 
for which the number of broken clauses is u. If u = 0, then it randomly chooses 
a pair from those pairs for which u = 0. 

Regular-WSAT/G differs from Regular-WSAT in the function that chooses 
the variable-value pair ip',k') that gives raise to a new interpretation. The 
pseudo-code of such a function, called select- WSAT/G, is shown in Figure 3. 
Function select-WSAT/G calculates, for each pair (p. A:) in 5, the decrease in 
the number of unsatisfied clauses when the truth value of p is changed to k. If 
the mEodmum decrease found is u' then either it randomly chooses, with proba- 
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procedure Regular-GSAT 

Input: a regulM CNF formula F, MaxChanges and McixTries 
Output: a satisfying interpretation of F, if found 
begin 

for i := 1 to MaxTries 

/ := a r 2 mdomly generated interpretation for F; 
for j := 1 to MaxChanges 

if I satisfies F then return /; 

Let S be the set of variable-value pairs of the form (p, k) that, when 
the truth value that assigns / to p is changed to k, give the largest 
decrease in the total number of clauses of F that are unsatisfied; 
Pick one variable p' from the set {p | (p,k) £ S}; 

Pick one value k' from the set {k | (p',k) € S}; 

I := I with the truth assignment of p' changed to k'\ 
end for 
end for 

return “no satisfying interpretation found” ; 
end 



Figure!. The Regular-GSAT procedure 



bility ui, a pair {p',k') from S or it randomly chooses, with probability 1 - w, a 
pair ipf,k') from those pairs whose decrease is u'. 

The averaging strategy [15] modifies the way in which the procedure gen- 
erates a new interpretation at the beginning of each try. The idea behind 
this strategy is to profit from the interpretations found in previous tries. We 
have generalized this strategy as follows. Let /?"** and be the interpre- 

tation at the beginning and at the end, respectively, of the i-th try. In the 
first try, the procedure randomly generates /J"’*. In the second try, it gener- 
ates from 7J"’‘ and 7^*"“' as follows: the value assigned to a variable is 
u if u is the Vcdue that both 7J"*‘ and 7^*”“' assign to the variable; other- 
wise (the values assigned to the variable are different), the value is randomly 
chosen either from 7]”’* or from 77*"®' ^ith equal probability. The initial in- 
terpretation 7?”** for the remaining tries is generated as above but using in- 
terpretations and 7,{]j“*. We reset the initial interpretation to a new 

randomly generated interpretation after a pre-set number of tries. We will re- 
fer to Regular-GSAT, Regular- WSAT and Regular- WSAT/G incorporating this 
strategy as Regular-GSAT -)-A, Regular-WSAT-I-A and Regular-WSAT/G-fA, 
respectively. 

5 Experimental results 

In this section we report on a series of experiments performed in order to compare 
the performance of the above algorithms in graph coloring and sports scheduling 
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procedure Regular-WSAT 

Input: a regular CNF formula F, MaxChanges, MaxTries and w 
Output: a satisfying interpretation of F, if found 
begin 

for i := 1 to McixTries 

/ := a randomly generated interpretation for F\ 
for j := 1 to MaxChanges 
if I satisfies F then return I; 

Pick one unsatisfied clause C from F; 

S := {{p,k)\S':peC,k€S' y, 

(p',k') := select- WSAT( S, F, w ); 

I := I with the truth assignment of p' changed to fc'; 
end for 
end for 

return “no satisfying interpretation found” ; 
end 

function select-WSAT(S, F, w) : (propositional_variable,truth_v8due) 
begin 

u := min( {broken{{p,k),F) | (p,fc) € S} ); 
if (ti > 0) then 
vith probability u 

Pick one variable p' from the set {p \ (p,k) € S}\ 

Pick one value k' from the set {k | (p',k) 6 S}; 
return 
end vith 
end if 

Pick one variable p' from the set {p | broken{{p, k),F) = u, (p, k) e S} 
Pick one value k' from the set {k | broken{{p', k),F) = u, (p',k) 6 5}; 
return (p',fc')i 
end 



Figure2. The Regular-WSAT procedure 
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function select-WSAT/G(5, F, w) : (propositional-variable, truth.value) 
begin 

u' :=■ max{ {decreaae{(p,k),r) \ (p,k) € S} ); 
with probability w 

Pick one variable p' from the set {p | (p, fc) 6 S}; 

Pick one value k' from the set {k ( (p', &) € 5}; 
return (p',k'); 
end with 

Pick one variable p' from the set {p | decrease((p, k), F) = it', (p,k) 6 5}; 
Pick one value k' from the set {fc | decrease((p',k),F) = it', (p',k) € 5}; 
return (p',k'); 
end 



Figures. The selection function for the Regular-WSAT/G procedure 



problems. Such experiments were performed on a Sun Sparc Ultra-4 with 384 MB 
of memory. In the below tables, we give the setting of MaxChanges (MC) , and the 
best time and the median time obtained for each one of the instances considered. 
Each graph coloring instance was run nine times with each algorithm. The cutoff 
time for each instance was 9 hours. Each sports scheduling instance was run nine 
times with each algorithm. The cutoff time for each instance was 12 hours. If the 
median is *, it means that there was at least one run that did not finish within 
the cutoff time. If the best time is *, it means that the algorithm was unable to 
solve that instance within the cutoff time. 

Table 2 shows the experimental results obtained for some graph coloring 
instances considered in [10] and in [15]. Our results indicate that the performance 
of our algorithms is competitive with the results of [10,15]. It is difficult to provide 
a more accurate comparison because the hardware used in the experiments was 
different and the results reported in [15] are not very detailed. 

Table 3 shows the experimental results obtained for some instances of the 
n-team round robin problem considered in [6]. Using an integer programming 
formulation, Gomes et al. [6] were unable to find a solution for this problem 
for n = 14 and they last 14 hours to find a solution for n = 12. Using a con- 
straint programming formulation, they did not find a solution for n — 16 with 
a deterministic algorithm. Using the saune constraint programming formulation, 
they found a solution for n = 16 with a randomized constraint programming 
algorithm in 2 hours on average, which is competitive with our results. It is 
worth mentioning that the algorithm of [6] was executed 100 times and found 
a solution in 6 runs; with Regular-WSAT/G we found a solution in each run. 
These results suggest that Regular-WSAT/G is a good candidate to solve the 
round robin problem. As far as we know, it is the first time that the round robin 
problem has been solved with a propositional satisfiability algorithm. 
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Instcince 


Colors 


MC 


Regular-GSAT 
time (h;m:s) 
minimum median 


Regular-WSAT 
time (h:m;s) 
minimum median 


Regular-WS AT-f A 
time (h:m:s) 
minimum median 


DSJCI25.5.C0I 


18 


Kmim 










DSJCI25.5.C0I 


17 




* 








C250.5x.col 


15 












DSJC250.5.CO1 


29 




* « 


1:19:50 * 




1:33:53 



Table2. Experimental results for instances of the fc-colorability problem 



Instance 


MC 


Regular-WSAT/G 
time (h:m:s) 
minimum median 


Regular-WSAT/G-I-A 
time (h:m:s) 
minimum median 


6-team 


20000 


0:00:01 


0:00:01 


0:00:01 


0:00:01 


8-tecim 


25000 


0:00:01 


0:00:03 


0:00:01 


0:00:04 


10-te2im 


30000 


0:00:03 


0:01:33 


0:00:02 


0:00:39 


12-tecim 


40000 


0:01:09 


0:06:10 


0:02:00 


0:16:17 


14-team 


80000 


0:11:05 


1:18:34 


0:29:02 


1:16:43 


16-team 


90000 


0:18:46 


2:21:14 


♦ 


* 



Tables. Experimental results for instsmces of the n-team round robin problem 



6 Concluding remarks 

In this paper we have described a number of new local search algorithms for reg- 
ular CNF formulas and reported on an experimental investigation that provides 
evidence that regular CNF formulas are a suitable formalism for representing and 
solving combinatorial problems. The approach presented here can outperform or 
compete with state-of-the-art approaches to solving hard combinatorial prob- 
lems. As case studies we have considered graph coloring and sports scheduling 
problems. We plan to investigate other problem domains in the necir future. 
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Abstract. In this paper we continue to develop the approach to au- 
tomated search for theorem proofs started in Kyiv in 1960-1970s. This 
approach presupposes the development of deductive techniques used for 
the processing of mathematical texts, written in a formal first-order lan- 
guage, close to the natural language used in mathematical papers. We 
construct two logical calculi, gS and mS, satisfying the following require- 
ments: the syntactical form of the initial problem should be preserved; 
the proof search should be goal-oriented; preliminary skolemization is 
not obligatory; equality handling should be separated from the deduc- 
tion process. The calculus gS is a machine-oriented sequent-type calculus 
with “large-block” inference rules for first-order classical logic. The calcu- 
lus mS is a further development of the calculus gS, enriched with formal 
analogs of the natureil proof search techniques such as definition handling 
and application of auxilisiry propositions. The results on soundness and 
completeness of gS atnd mS cire given. 



1 Introduction 

Investigations in automated reasoning gave rise to the appearance of various 
computer-oriented calculi for the proof search in classical Ist-order logic. In 
practical applications preference is usu^llly given to the methods based on the 
results of Skolem and Herbrand (for instance, resolution-type methods, Maslov’s 
inverse method, tableau methods, connection graph methods, etc.). The possi- 
bilities given by Gentzen-type calculi are less investigated. This happens due 
to higher efficiency of first-kind methods as compared to sequent-type Ccilculi. 
This is mainly connected with various orders of the quantifier rule applications 
and formula duplications in Gentzen calculi while the first-kind methods, due to 
skolemization, are free from this deficiency. 

* On leave from Glushkov Institute of Cybernetics 




Evidence Algorithm and Sequent Logical Inference Search 



45 



At the same time, the deduction process in Gentzen calculi reflects natural 
theorem-proving methods which, as a rule, do not include preliminary formula 
skolemization, so that logical inference is made within the scope of the signature 
of the initial theory. This feature of Gentzen calculi becomes important when 
the proof is found in an interactive mode since it is preferable to present the 
output data in the form usual for a user. This is how the problem of the efficient 
quantifier memipulation makes its appearance. 

The desire to overcome the lack of efficiency of standard Gentzen-type calculi 
has resulted in the appearance of the sound and complete Ist-order calculus of 
a-sequents [1] (denoted by S below), which uses the original notion of an ad- 
missible substitution to optimize enumaration connected with the possibilities 
of different orders of elimination of quantifiers (without obligatory carrying out 
preliminary skolemization). It has been shown later that this notion of an ad- 
missible substitution can be easily introduced into standard Gentzen calculi [2]. 
The S calculus was constructed to meet the following requirements: the syntac- 
tical form of an initial problem should be preserved; preliminary skolemization 
is not obligatory; proof search should be goal-oriented; equality handling should 
be separated from the deduction process. 

In this paper such approach to automated theorem proving is realized by 
means of constructing certain modifications of S, denoted by gS and mS. 

The calculus gS is a Gentzen modification of the calculus S for classical first- 
order logic; the main results on gS are presented. 

The calculus mS is a modification of the calculus gS “enriched” with rules for 
application of definitions and auxiliary propositions for machine-oriented logical 
inference search in the environment of a self-contained mathematical text written 
in the so-called first-order TL-language (TL 1-language). 



2 Historical Notes 

The calculus S was developed in the framework of the complex programme of 
automated theorem proving. This programme was initiated by V.M.Glushkov at 
the beginning of 1960s and called Algoritm Ochevidnosti (Evidence Algorithm), 
or AO. The exposition of the idea of AO c^m be found in [3]. 

In fact, in the frame of the programme it was proposed to conduct in parallel 
the following main lines of investigations: 

1) construction a formalized language (languages) for writing down math- 
ematical texts from different substantial sections of mathematics in the form 
which is as much as possible close to the form of natural-language mathematical 
publications; 

2) formalization and consecutive development of the concept of machine ev- 
idence of a proof: every proof step in a formalized text has to be properly 
substantiated by computer with the use of formal proof search methods and 
mathematical facts already known to AO; 
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3) construction and development (by means of AO) of information base con- 
taining descriptions of mathematical concepts, their connections and properties, 
and having an influence on the concept of evidence of a proof step; 

4) implementation of interface which enables a user to understand a proof 
search process and control it in an interactive mode. 

The first paper about the development (in Kyiv) of a procedure for theorem 
proof seairch appeared in 1966 [4]. Its further improvement resulted in construc- 
tion of a machine-oriented inference search procedure for logicad calculi [5]. 

In 1970 a new period in realization of the AO programme began. The main 
characteristic feature of the works held during that period was their orientation 
towards forming am integral mathematical text processing system as a single 
whole. 

During that period, research of language support of the system was carried 
out and the input language TL (Theory Language) of the system was developed 
[6], that was similar to the natural mathematiccd one aind convenient, from the 
practical point of view, for use in man-machine systems. Also, vEirious logical 
inference search methods were proposed and investigated (a mcichine-oriented 
sequent-type calculus without skolemization [1], resolution-type methods with 
a possibility to attach various techniques for equ£ility h 2 indling [7], heuristic 
methods of proof searching based on using auxiliary propositions, or lemmas 
[ 8 ]). 

After a number of experiments with the system [9], the system was improved 
and extended in various directions. As a result, in 1980 the first implemented 
version of the system called SAD (Systema Avtomatizatsiyi Dokazatel’stv) was 
described in [10]. 

After 1980 SAD was developed in the following directions: formulation of 
admissible inference rules for resolution-type procedures to reduce enumara- 
tion during inference searching; development of equality haindling techniques; 
investigation of natural theorem proving techniques emd their combination with 
resolution procedures [11, 12]. Note, that proof search procedures of SAD could 
function both in automatic and interactive modes. 

At the beginning of 1990s, when ES computers went out of use, the experi- 
ments with SAD were curtailed. 

In more detail, the history of investigation on AO is given in [13]. 

This paper reflects present efforts to attack problems in automated theorem 
proving in the AO-style. 



3 Logical Inference Search in the AO-style 

In this section, we give a formal description of the calculus gS, the main results 
on the calculus, and exemplify its peculiarities. 

As for mS, we shall restrict ourselves to the consideration of the substantial! 
interpretation of mS, drawing the ainalogy to the calculus gS, and to an example 
of constructing the proof of a certaiin theorem. To maike this proof transparent 
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we comment every proof step in detail. We hope that the example will make up 
a good background for understanding the approach to ATP in the AO-style. 



3.1 The Calculus gS 

We treat here classical first-order logic in the form of the sequent calculus G 
given in [14]. We use the name Gal instead of G. 

We treat the notion of a substitution as in [15]. Any substitutional component 
is considered to be of the form t/x, where a; is a variable and t is a term of a 
substitution. 

Let L be a literal, then ~L denotes its complement. We use the expression 
L(ti, . . . ,t„) to denote that is a list of all the terms (possibly, with 

repetitions) occupying the argument places in the literal L in the order of their 
occurrences in L. If x, y are variables zmd F is a formula then F|® denotes the 
result of replacing x with y. 

We also assume that besides usual variables there Eire two countable sets of 
special variables, namely unknown variables and fixed variables (sequences of 
“dummies” and “parameters” in the terminology of [16]). 

Note, that the basic object of gS (as of S [1]) is an a-sequent. An a-sequent 
may be considered as a special generEilization of the standard notion of a sequent. 
We consider a-sequents having one object (goal) in its succedent only. 

An ordered triple < w,F,E > is called an ensemble iff lo is a sequence (a 
word) of unknown and fixed variables, F is a Ist-order formula, and F is a set 
of pairs of terms ti,t 2 (equations of the form t\ = < 2 )- 

An a-sequent is an expression of the form [F],< wi,Pi,Ei >,...,< Wn,Pn, 
En > => < w,F,E >, where < wi,Pi,Ei >,...,< Wn,Pn,En >,< w,F,E > are 
ensembles, [F] is a list of literals, possibly empty. 

Ensembles in the antecedent of eui a-sequent are called premises, and an 
ensemble in the succedent of an a-sequent is called a goal of this a-sequent. The 
collection of the premises is thought as a set. So, the order of the premises is 
immaterial. 

Let W be a set of sequences of unknown Eind fixed variables, and s be a 
substitution. Put A(W, s) = {< z,t,w >: 2 : is a vEiriable of s, t is a term of s, 
lu e W, and z lies in w to the left of some fixed variable from f}. Then s is said 
to be admissible for W iff (1) the variables of s are unknown variables only, and 
(2) there are not elements < zi,ti,wi >,...,< Zn,tn,yJn > in A{W,s) such that 
t 2 lzi e s,...,t„lz„-i € s, ti/zn € s (n> 0). 

Decomposition of some formula F by its principal logical connective and pos- 
sible inter£«;tion with Pi results in generating new a-sequents. The sets Fi,...,F„, 
E define the terms to be substituted for the unknown vEiriables in order to trans- 
form every equation t\ = <2 from Fi,...,F„,F to identity t = t after applying to 
E\ ,...,En, E a substitution chosen in a certEun way. The sets wi ,...,Wn,w serve to 
check whether the substitutions generated during proof searching are admissible. 
Note, that in any a-sequent some (or eJI) sequences from w\,...,Wn,w and some 
(or all) sets from Fi,...,F„,F may be empty. 
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An initial a-sequent is constructed as follows. Suppose that we want to es- 
tablish deducibility of a sequence Pi, . . . ,P„ F (in the terms of the calculus 
Gal). Then an a-sequent [ ],<, Pi P„, >=^<,F, > will be considered as 
an initial a-sequent (w.r.t. Pi, . . . ,P„ F). 

During proof searching in gS an inference tree is constructed. At the begin- 
ning of a search process it consists of an initial a-sequent. The subsequent nodes 
of the inference tree are generated in aiccordcince with the rules described below. 
Inference trees grow “from top to bottom” . 

Goed Splitting Rules (GS-rules). These rules are used for elimination of the 
principal logical connective from the formula in the goal of an a-sequent pro- 
cessed. Application of any rule results in generation of a new a-sequent (a- 
sequents) with only one goal (and, possibly, with new premises). Elimination 
of the propositional connectives is done according to the rules of Ist-order clas- 
sical logic. It c£in be easily expressed in the terms of derivative rules of standard 
Gentzen-type calculi, and wi,...,Wn,w,Ei,...,En,E therewith are not changed. 
Essential deviation from traditional Gentzen techniques of inference search is ob- 
served in quantifier processing. This deviation reflects specific quaintifier handling 
techniques when variables of eliminated quantifiers are replaced by unknown or 
fixed veiriables depending on an eliminated quantifier. Therewith w, but not 
wi,...,w„,Ei,...,En,E, is changed, and new premises can be generated. 

In formulation of rules below, M denotes a set of premises. 

Propositional Rules 

(=>Di)-rule: 

[B],M =»< w,F D Fi,E > 

[B],M,< w,F,E >=^< w,F\,E > 

(^D2)-rule; 

[P], M =>< M>, P D Pi , E > 

[B],M, < w, -iF\,E >=>< w, -iP, E > 

A)-rule: 

[B\,M =>< w,F A Fi,E > 

[B],M=><w,F,E> [B],M =^< w,Fi,E > 

{=> Vi)-rule: 

[B],M =>< w,Fy Fi,E > 

[B\,M, < iy,-iP, P >=>•< w,F\,E > 

(=> V 2 )-rule: 

[B],M =►< w,FV Fi,E > 

[B],M,< w,->F\,E >=»< w,F,E > 

(=>• ->)-rule: 

[P], M =>< w, -iP, E > 

[P],M^< w,F',E> 

where P' is the result of one-step transferring into P. 




Quantifier Rules 

{=> V)-rule; 
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[B],M =>< w,'ixF,E > 
[B],M wx,F\^,E > 



where x is a new fixed variable. 



(=^ 3)-rule: 



[B],M =>< w,3xF,E > 

[B],M, < w,'ix->F,E >=>< wx',F\^,,E > 



where x' is a new unknown variable. 



Auxiliary Goal Rules (AG-rules). These rules are “extracted” from [1] and 
applied when formula F in the goal of an input (for AG) a-sequent is a literal. 
Applying AG-rules, we begin with some premise <Wi,Pi,Ei >, s.t. the literal F 
from the goal of the input (for AG) a-sequent has a positive occurrence (modulo 
equations) in P<. Denote this occurrence by F'. Then we generate a-sequents 
deterministically eliminating the principal logical connective from Pi and so on 
until we get the literal F'. 

Such series of eliminations of connectives in premises done deterministically 
can be viewed as an application of a “large-block” inference rule. (The phrase 
“modulo equations” means informally that the occurrence F' extracted from 
Pi can be transformed into F by replacing simultaneously terms occupying the 
argument places in F' with some terms from F. Below the phrase “modulo equa- 
tions” will be often omitted.) As for elimination of principal logical connectives 
in premises, the remarks referring to the GS-rules are true excluding, naturally, 
remarks on w\ w, Ei,...,En,E. An application of a AG-rule results in gen- 
eration of m (m > 0) a-sequents with new goals and, possibly, some new (w.r.t. 
an input for AG a-sequent) premises. 

Let us introduce inductively a notion of a positive (negative) occurrence of 
a literal L in a formula F (denoted by F[L'^\ and F[L~\, respectively) modulo 
equations in a rigorous way; 

(I) suppose that a literal F (~ F) can be obtained from L{t\, . . . ,tn) by 
means of replacing with some terms t[,...,t'n- Then L is said to have a 

positive (negative) occurrence in F modulo the equations t\ = t[,...,t„ = t'„\ 

(11.1) if F\L'^\ (F[L~J) modulo the equations t\ = t[,...,tn = t'„ and Fi is 
a formula then L has a positive (negative) occurrence (modulo the equations 
ti = t'^,...,tn = t'n) ™ the following formulas: F A F\, Fi A F, F W Fi, Fi W F, 
Fi D F, VxF, 3xF; 

(11. 2) if F[L'^\ (F[L“J) modulo the equations t\ = t[,...,tn = and F\ is 
a formula then L has a negative (positive) occurrence (modulo the equations 
ti — t'i,...,tn = t'„) in the following formulas: F D Fi, -<F; 

(III) there are no other cases of positive (negative) occurrences of L in F. 




50 



Anatoli I. Degtyeirev, Alexander V. Lyaletski, and Marina K. Morokhovets 



Propositional Rules 
(Di^)-rule: 

[B],< w,F[L~] D Fi,E' >,M =>•< w',L,E > 

[B], < w, i^F) [L+\ ,E' >,M =><w',L,E> [B,~ L],M w,^Fi,E' > 

(D2=>)-rule: 

[B],<w,F D Fi[L+\,E' >,M =i^<w',L,E> 
[B\,<w,FilL+\,E' >,M ^<w\L,E> [B,'^ L], M =^< w,F,E' > 

(Vi =^)-rule: 

[B],< u;,FVFiLL+J,B' >,M ^<w',L,E > 
[B],<w,Fi[L+\,E' >,M =i^<w',L,E> [B,~ L],M =►< > 

(V2 =>-)-rule: 

[B],< w,F[L+J VFi,B' >,M ^<w',L,E> 

[B], < w,F\_L'^\,E' >, M =>< w', L,E > [B, ~ L ], M =>■< w, ->Fi , E' > 

(Ai =^-)-rule: 

[B], < 1/;, F[L+J A Fi, Jg' >, M =»>< w', L,E> 

[B],< w,F[L+\,E' >,< w,Fi,E' >,M =>< w',L,E > 

(A2 =>-)-rule: 

[B], < u;, F A Fi [L+\,E' >, M w', L,E> 

[B],<w,F,E' >,<w,Fi[L+\,E' >,M =>■< w',L,E> 

(-> =>)-rule: 

[B],< w,-<{F[L~\),E' >,M =>■< w',L,E > 

[B], < w, F' [L+J ,E' >,M w',L,E > 
where F' is the result of one-step transferring into F. 

Termination Rules 
(=> |i)-rule: 

[B], < ti;,L(ti,...,tn),F' >,M =>< w’,L{t[,...,t'J,E> 

M =>< w, S, E" > 

(Here E" = E' U E U {h = t[,...,t„ = t;,}; L(ti, . . . ,t„), L{t[,...,t'J are 
literals.) 

(=J> l{ 2 )-rule: 

[Bi,L(ti,...,t„),B 2 ],M =»< w',L{t'i,...,t'J,E > 
[Bi,i(ti,...,t„),B 2 ],M =>< ty',tt,F' > 
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(Here E' = E\J{ti = fj, . . . , = tj,}; L(ti ,. . • ,fn), , • ■ - jt'n) literals.) 

Quantifier Rules 
(V =^)-rule: 

[B],<w,'ix{F[L+\),E' >,M =►< w',L,E> 
[B],<wx',F\l,[L+\,E' >,<w,'ixF,E' >,M =^< w',L,E > 

where x' is a new unknown variable. 

(3 ^)-rule: 

[B], < w, 3x(F[L+J), E' >, M =^< w', L,E> 

[B], < wx, F\^[L+ },E' >,M =i^<w',L,E> 

where x is a new fixed variable. 



Premise Addition Rule (PA-rule). This rule affects the whole proof search 
tree. After every application of (V =>-)-rule ((3 ^)-rule) the new premise < wx', 
F\^, , E' > {< wx, F\^[^L^\ , E' >) is added to cintecedents of cill a-sequents 

containing the premise < w,'ix{F[L'^]),E' > (< w,3x{F[L~^j),E' >) through 
the current tree. 



Axioms. Axioms are a-sequents of the form [B],M =^< >, where # 

denotes an empty formula. 

Applying the rules “from top to bottom” to an input a-sequent and after- 
wards to its “heirs”, and so on, we finally obtain an inference tree. An inference 
tree Tr is C£illed a proof tree for an input a-sequent (in gS) if and only if (1) ev- 
ery leaf of Tr is an axiom; (2) there exists the most general simultaneous unifier 
(mgsu) s of all sets of equations from Tr; (3) s is admissible for the set of all 
sequences of fixed and unknown variables from Tr. 

Remark 1. The formulation of the calculus gS shows that the order of qujmtifier 
rule applications is immaterial, i.e. it does not influence the final result. In the 
calculus gS, the quantifier rules zu'e needed to determine a quantifier structure 
of formulas from an input sequent P\,...,P„ =>■ F. Also, note that generating the 
most general simultaneous unifier and checking the admissibility of the mgsu can 
be done in arbitrary moment of constructing an inference tree (in particular, this 
moment can be determined by a user). 



Main Results on gS. Below we give maiin results on gS. Remember that we 
consider Ist-order classical logic in a sequent form. 

Proposition 1 (soundness and completeness of gS). Let Fi,...,F„ F be 
a sequent (with its usual meaning) and the set {Fi,...,F„} be consistent. The 
sequent Fi,...,F„ ^ F is deducible in the calculus Gal if and only if there exists 
a proof tree for the input a-sequent [ /,<, Fi, >,...,<, F„, >=^<, F, > in gS. 
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A Proof Scheme. It can be shown that having a proof tree Tr in gS it is possible 
to construct a proof tree Tr' in the calculus mG [2] and vice versa. In [2], it is 
shown (using some results from [17]) that Tr' can be transformed into a proof 
tree in Gal and vice versa. 

Corollary 1. A formula F is valid if and only if there exists a proof tree for 
the input a-sequent [ j =><,F,> in the calculus gS. 



An Example on gS. A simple example given below demonstrates the pe- 
culiarities of quantifier handling in the calculus gS and proof tree generation 
techniques. 

Suppose, we would like to establish the deducibility of the following sequent 
in the calculus Gal: 'iyi3zi'ixi{Fi VEz) => 'ix 2 ^V 2 F, where Fi is R{f{zi,y{), xi), 
Ej is R{f{zi,xi),xi), and F is R{y 2 ,f{x 2 ,c)) {R is a predicate symbol, / is a 
functional symbol, c is a constant symbol). To follow a proof secirch process. 
Figure 1 is given. The corresponding initial a-sequent in the calculus gS is: 



( 1 ) 

I (=!>V),(=!-3) 

( 2 ) 

I (V=!.),(3=!.),(V^) 
(3) 




(3.1.1) (3.2.1) 



Fig. 1. The proof tree constructed in gS 



(1) [],<,Vj/i3ziVxi(Fi VF2),>=X,Vx23y2F’, > 

Applying subsequently to (1) the rules (=>^ V) aind (=^ 3) we obtain: 

(2) [], <,Vi/i32:iVxi(Fi VF2),>,F=J-<X2j/2.-P’'.>. 

where P is < X 2 ,'^y 2 -'R{y 2 , f{x 2 ,c)),> euid F' is R{y' 2 , f{x 2 ,c)). There is a 
positive occurrence of F' into P 2 (P 2 L^''*'J), so AG-rules, namely, (V =^), (3 =>), 
(V are applicable to (2). As a result, we have: 

(3) [ ],< y'rzix'i , FI V P' [P'+J, >, Pi,P2,P=^< X2y'2, F', >, 

where F{ is R{f{zi,y'i),x'i), Pj is P(/(zi,xi),xi), Pi is <,Vj/i32:iVxi(Pi V 
P 2 ),>, and P 2 is < j/[zi,Vxi(P" V F^'),>, with P(/(zi,y[),xi) for F" and 
P(/(^i,a:i),xi) for P^'. 

Prom (3) by (Vi =>), we obtain two a-sequents: 

(3.1) [ ],< y(Jix'i,P^LP'+J,>,Pi,P2,P =►< X2y!2,F', > 

(3.2) hP'],Pi,P2,P yizix'i,-.P(,>. 
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Note, that 

1) GS-rules are applied until the formula in the succedent of the a-sequent is 
a literal; 

2) AG-rules are applied “to shell” a positive occurrence of the goal in the 
antecedent. So, transition from the a-sequent (1) to the a-sequent (2) and, then, 
from the a-sequent (2) to the a-sequents (3.1) £ind (3.2) can be thought as the 
results of application of two “large- block” inference rules. Moreover, these tran- 
sitions are strongly directed by the goal formula. 

As Fj is R{f{zi,x[),x'i) and F' is F(y 2 ./(^ 2 ,c)), so (=>• lti)-rule is applicable 
to (3.1) yielding 

(3.1.1) \ \,Pi,P2,P yiZ\x\,'^, El >, 

where Ei = {y'^ = f{zi,x[), f{x 2 ,c) = li}. 

As F{ is R{f{zi,y'i),x'i) so jj 2 )-rule is applicable to (3.2), and the result 
is 

(3.2.1) [-^F'],Pi,P 2,P =><y!iZix’iJ,E2 >, 
where E 2 = {y '2 = f{zi,x'i),f{x 2 ,c) = x'j}. 

We have obtained the tree Tr in which every leaf has an a-sequent with 
the empty formula in a goal. The set Ei U E 2 is unifiable with mgsu a = 
{f{x 2 ,c)/x'i , f{zi , f{x 2 , c))ly' 2 ,fix 2 ,c)ly'i }. 

For the tree Tr, we have the following set W of all sequences of fixed Eind 
unknown variables: W = {x 2 ,X 2 y 2 ,yi,yiZi,y'iZiXi}. So, A(W,(t) = {< y[, 
f{zi,f{x 2 ,c)),y'izi >,< y'i,f{zi,f{x 2 ,c)),y'iZix'i >}. As /(zi,/(i 2 ,c))/yi ^ 
a, so (7 is admissible for W. Then Tr is a proof tree, and by proposition 1 the 
initial sequent is deducible in Gal. 

Remark 2. If we would take 3 J/ 2 VX 2 F as a gOEil formula in the initial sequent, 
then “repeating” construction of Tr we would obtain the “copy” Tr' of Tr 
with the same mgsu a and with the following set W of all sequences of fixed 
amd unknown variables: W = {j/ 2 >J/ 2 ^ 2 ,J/i,yi^i, For W and cr, we 
have: A{W ,a) - {< yj, /(^i, /(x 2 ,c)),yjzi >, < yl,/(zi,/(x 2 ,c)),y(^ixi >, 
< y 2 >/(^i>/(^ 2 ,c)),y 2 X 2 >}. As/(xi,/(x 2 ,c))/y^ G cr, so cr is not admissible for 
W , and then Tr' is not a proof tree in gS- If we choose other positive occurrences 
of F in premises, we shall obtain the same result. (Note, that special techniques 
for checking the admissibility of substitutions have been proposed in [2].) 

Remark 3. This example illustrates that both (=>^ j)i)-rule and (=> ji 2 )-rule axe 
substantive for gS completeness. Really, if we refuse from any of the rules, we 
shall not get a proof tree. 

Remark 4- There is no application of PA-rule in the above example. However, it 
is not difficult to see, that PA-rule is necessary to prove the following sequent: 
3xF(x) => 3y{R{y) A R(y)). 

3.2 A Brief Description of mS 

The calculus mS permits to present an initial problem as a text in a certain 1st- 
order formal language containing definitions and auxiliary propositions, and to 
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use analogs of such natural theorem proving techniques as application of defini- 
tions and auxiliary propositions. The peculiarity of mS is that needed definitions 
and auxilieiry propositions are extracted firom a self-contained mathematical text 
written in the formal language T L [6] approximated to languages of usual math- 
ematical papers. A self-contained mathematicaJ text is a text that, in ciddition to 
a proposition to be proved, also includes assumptions, propositions, and defini- 
tions that can be used when the proof of a given assertion (theorem) is searching. 

Processing a self-contained mathematiccJ text for the purpose of proving a 
given theorem is divided into two parts: 

1. Translating an original TL-text into so-called Ist-order TL-text (TLl-text). 
TZ/l-sentences, on the one hand, are analogs of Ist-order logic formulas, and, 
on the other hand, preserve the signature of an origined TL-text, its syntax 
and structure (i.e. partitioning into definition sections, auxiliary proposition 
sections and theorem to be proved). Notice, that translation of a TL-text 
(which satisfies certain restrictions) into a TLl-text can be done automati- 
cally (see, for example, [18]). A TLl-text is a source for the inference search 
procedure in the calculus mS. Note, that to use an inference search procedure 
in the calculus gS a TLl-text should be translated into a set of Ist-order 
formulas. 

2. Searching for a proof in the calculus mS. 

After the text has been written in TL-language and converted into a TLl-text, 
a theorem proof search is carried out using the inference rules of mS. 

The assertion T to be proved is represented as a substantive TL 1-section 
“theorem” , in which conditions and a conclusion are sepcirated, and an initial a- 
sequent (with respect to T) is constructed with the conditions amd conclusion in 
its antecedent and succedent, respectively. (The remaining part of the TLl-text 
is given as the set of definitions and auxiliary propositions.) 

The basic object of mS (as of gS) is an a-sequent. 

As in gS, an a-sequent of mS is an expression of the form [B], < rui , Pi , £i >, 
. . . , < Wn,Pn,En > => < w,F,E >, where ■wi,...,Wn,w, Ei,...,En,E,B are the 
same as in gS-sequents, but Pi,...,Pn,F are TLl-sentences. 

As TLl-sentences can be viewed as first-order formulas, GS-rules, AG-rules, 
and PA-rule are extended to mS-sequents in obvious way. In this connection, we 
omit the formulation of the rules here and use the saune names for these rules in 
mS. 

Structuring TLl-texts according to substemtive sections (i.e. definitions, pro- 
positions, etc.) enables introducing in mS the definition application rule (DA) 
and auxiliary proposition rule (AP) in a natural way. These rules cam be viewed as 
specific vaxiemts of AG. A definition or auxiliary proposition being a substantive 
section of a TLl-text is treated as a premise for the goal under consideration. 
As in the case with AG, the DA and AP rules can be applied depending on 
the existence in the premise of a positive occurrence (modulo equations) of the 
TLl-sentence from the goal of an input (for DA or AP) a-sequent. DA and 
AP represent analogs of natural theorem-proving techniques for application of 
definitions and auxiliary propositions. 
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As in gS, during proof search in mS an inference tree Tr is being constructed 
(w.r.t. the theorem T to be proved and “environmental” TZl-text Txt). The 
a-sequent in the root of Tr is uniquely defined by T. A notion of a proof tree in 
mS has the same meaning as in gS. 

In any moment during inference search, it is possible to test whether a current 
inference tree can be transformed into a proof tree. When construction of a proof 
tree is made in an interactive mode, a user may initiate this test. 

Remark 5. Let Tr be a current inference tree, s be an admissible substitution 
for Tr (in the sense of [1,2]). Let Tr * s denotes a result of application of s 
to every Til-sentence from a-sequents occurring in Tr. It is possible to search 
for a proof in mS in such a way that enables to continue a proof search with 
Tr*s, when Tr is not a proof tree, and then backtrack if necessary. The excunple 
given below is exactly the case of using a search technique of this type, with an 
admissible substitution generated after every AG, or DA, or AP application. 



Main Results on mS. It was noted above that any Til-sentence can be 
treated as an analog of some Ist-order classical logic formula. It enables con- 
structing formula patterns of such units of a Til-text as the theorem to be 
proved, a definition, an auxiliary proposition and to treat a self-contained Til- 
text as a set of Ist-order formulas. So, it is possible to understand unambiguosly 
the terms “Til-text consistency”, “logical consequence of a theorem from a 
given Til-text”, and “validity” (of the theorem to be proved) without special 
defining the semantics of the Til-language. With this in mind, we state main 
results about mS as follows. 

Proposition 2 (soundness and completeness of mS). TLl-theoremT is a 
logical consequence of a consistent TLl-text Txt if and only if a proof tree w.r.t. 
T and Txt can be constructed in mS. 

A Proof Scheme. As Til-sentences can be viewed as analogs of first-order for- 
mulas, and DA and AP are special variants of AG, so Proposition 1 guarantees 
validity of Proposition 2. 

Corollary 2. A TLl-theorem T is valid if and only if a proof tree w.r.t. T only 
can be constructed in mS. 

We note, as a side- result, that rather rich collection of rules in mS enables to 
construct various proof search strategies which model proofs from usual mathe- 
matical texts, and, by maintaining the interactive mode of proof search, to allow 
a user to influence a proof process actively. If such a strategy (with or without 
the participation of a humzm) ensures an exhaustive search, then Proposition 2 
and corollary 2 guarantee the soundness and completeness of the strategy. 



An Example on mS. As we present below a proof (but not a proof search), we 
use a standard Gentzen notation for sequents instead of the a-sequent notation. 
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“hiding” equation handling and variable sequence processing into comments. Be- 
low, we regard a sequent to be proved if it is of the form: [B], Pi , . . . , Pi_i , P,Pi+i , 
. . . ,P„ => P, because it is obvious that subsequent AG-rule application trans- 
forms this sequent into the axiom. 

Let us consider the proof of the following assertion: “If M is a subset of any 
set then M is empty”. We treat this assertion as a pzurt of the self-contained 
mathematical TL-text. Note that we use English version of TL and TLl to 
which [19] is dedicated. 

The corresponding TL-text is as follows. 

The TL-text “Sets” . 

Definition 1. Let X be a^et. Let Y be a_set. Y is a.subset-of X IFF zuiy ele- 
ment-of Y is an_element.of X. 

Definition 2. Let Z be ajset. Z is empty IFF it js_not-true.that there_exists 
an.element_of Z. 

Proposition 1. Any subset-of any set is ajset. 

Proposition 2. There.exists the empty set. 

Theorem. If M is a^ubset_of any set then M is empty. 

As a result of the syntactical transformation of the above TL-text, we get 
the following TLl-text. 

The TLl-text “Sets”. 

Definition 1. Let X be a^et. Let Y be ajset. Y is a^ubset-of X IFF for.any e 
it Js-true.that if e is an.element.of Y then e is anjelement.of X. 

Definition 2. Let Z be a.set. Z is empty IFF itJsjiot_true.that there.exists e 
such.that e is an.element.of Z. 

Proposition 1. For .any X,Y itJs_true.that if F is a.set and X is ajsubset_of F 
then X is ajset. 

Proposition 2. There.exists u such.that u is empty and u is ajset. 

Theorem. Let for.any X itJs.true.that if X is a.set then M is ajsubset.of X. 
Then M is empty. 

Note, that both in TLl-text and in the proof given below usual names for 
mathematical notions are preserved. It is suitable for a user while seEurching for a 
proof in an interactive mode. To make a proof search process more transparent, 
the proof tree constructed in mS is shown in Figure 2. 

Proof. The following initial sequent corresponds to the theorem: 

For.any X it Js.true.that if X is a.set then M is a.subset.of X ^ M is empty, 
where M is a fixed variable. Denote the formula in the emtecedent of this sequent 
by n. Then we have: 

1. 77 => M is empty. 

First of £ill, AG is to be tried. It is not applicable in this case, because there 
axe no occurrences of the goal in the premises. GS-rules aire not applicable, too, 
as the current goal does not include logical connectives. The rule DA is applied 
to the goal. Note, that when DA is applied, a definition is copied and then those 
variables which belong to the copy are reneimed. In the text below, each renzuned 
variable has a superscript which is equad to the number of a particular definition. 
In this case DA is applicable to Definition 2. As a result, we have: 
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1.1 1.2 
GS I 
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GS I 

l.l.l.l 
DA, Def. 1 I 




l.l.l.l.l 1.1.1.1.2 

DA 

l.l.l.l.l.l. 1.1.1. 1.1.2 
AP, Prop. 2 I 




1.1. 1.1.3 1.1.1.1.4 

1.1.1.1.3’ 

I AP, Prop. 1 
1.1.1.1.3M 



1.1.1. l.l.l.l 



Fig. 2. The proof tree constructed in mS 
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1.1. n => itJsjiot-true.that there_exists e suchAhat e is an .element -of M. 

1.2. J7 =>• M is a.set. 

So, inferencing the sequent 1 reduces to inferencing the sequents 1.1 and 1.2. 
Consider 1.1. Applying GS, we obtain: 

1.1.1. 77 => for.any e it js.true_that (itJsjiot.true.that e is an_element_of M). 

1.1. 1.1. 77 => it Jsjiot.true.that e is an.element_of M. 

Here e is a fixed variable; it cannot be substituted by terms. Now 1.1. 1.1 is a 
current sequent. As there are no occurrences of the current goal in the premise, 
DA is applied to Definition 1: 

1.1. 1.1.1. 77 ^ itJsmot-true-that e is an.element.of X^. 

1.1. 1.1. 2. 77 =► 717 is ajsubset-of Xj . 

1.1. 1.1. 3. n => M is a_set. 

1.1. 1.1. 4. 77 =>■ Xi is a_set. 

Xi is a new unknown variable; it can be replaced by terms. 

Note that Definition 2 is also applicable to 1.1. 1.1. However, as we demon- 
strate the proof, and not the protocol of proof search, so we show only “suc- 
cessful” steps. Choose 1.1. 1.1.1 to process. There are no occurrences of the goal 
in the premise. The rule DA is applicable to Definition 2. The application with 
appropriate substitution {Zf/Xj} results in two sequents: 

1.1. 1.1. 1.1. n ^ Zf is empty. 

1.1. 1.1. 1.2. 77 => is a^et. 

Here Z^ is an unknown variable. One more point needs to be made. A unifier 
produced when a peirticular inference rule is applied to the current goal should 
be used in every node of the inference tree. 

Both Definition 2 and Proposition 2 are applicable to 1.1. 1.1. 1.1. We choose 
to apply Proposition 2. As a result, the set of premises for the current goal is 
extended and the substitution {u/Zj } is generated. New premises can be added 
to the antecedent of any sequent in the inference tree and can participate in 
further inference steps. Then we have: 

1.1. 1.1. 1.1.1. 77, u is empty, u is a_set ^ u is empty. 

As there is an occurrence of the current goal in the premises, so this goal is 
proven. The sequent 1.1. 1.1. 1.2 is now of the form: 77, u is empty, u is a-set => 
Zj is a_set. 

There is an occurrence of the goal in the premises (the corresponding unifier 
is u/Zj). So, the goal “Zf is a^et” is also proven. The next sequent is 1.1. 1.1. 2. 
It is provable, because there is an occurrence of its goal in the premises (the 
corresponding substitution is Xl/X°, where Xf ia a new variable which substi- 
tutes X in 77 when searching for an occurrence of the goal of the sequent in 77). 
Consider sequent 1.1. 1.1. 3 taking into account the additional premises: 

1.1. 1.1. 3’. 77, u is a-set, u is empty => M is a_set. 

There are no occurrences of the current goal in the premises. The rule AP 
is applicable to Proposition 1. Notice that the assumptions of Proposition 1 are 
true under the premises of the current sequent. It is particularly transparent if 77 
is trcinsformed into “M is a_subset.of set_ X” , and the premise of Proposition 1 is 
transformed into “X is a_subset-of set_ Y” . (Note that, in general, representation 
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of assumptions of propositions and premises of sequents in such a form makes a 
part of a proof environment along with definitions and auxiliary propositions.) 
In that way, we obtain: 

1.1.1.1.3M. 77, u is a^et, u is empty, M is ajset =>■ M is a.set. 

So, the goal “M is ajset” is proven. Then the sequents 1.1. 1.1.3 and 1.2 axe 
proven, too. In respect that the additional premises have been introduced and 
the substitution has been generated, the sequent 1.1. 1.1. 4 is now of the form: 

77, u is empty, u is a_set => u is a_set. 

Now, AG is applicable. The sequent is proven. There is not any more sequents 
to prove. So, the initial theorem is proven. 



4 Related Work 

In this paper we mainly focused on theorem proving in the AO-style but the AO 
programme also concerns issues other than theorem proving. 

By now, a lot of various ATP systems have been developed (see, for example, 
[20]). They differ in the types of calculi underlying inference search procedures, 
search methods used, ranges of problems tackled. Of course, historical relation- 
ship between AO and the other systems which are well-known in the world and 
the relationship between the calculi presented here and the systems in use to- 
day are worth of special discussion. But here we would like to mention some of 
the works (both projects and functioning systems) which are mostly congenial 
to the ideas underlying the AO programme, i.e. those supporting 2 m integrated 
environment for “doing mathematics” and concerning the following issues: 

- source data language is rich enough to support communication with a user 
in the terms of a given application domain; 

- different computer mathematical tools, such as theorem provers, computer 
algebra systems, numerical computation procedures, proof editors, etc., are in- 
tegrated to assist in solving mathematical problems; 

- a base of mathematical knowledge is used during problem solving, and it 
evolves and increases as new knowledge is obtained; 

- problem solving can be done in an interactive mode, enabling a user to 
influence search processes. 

The system MIZAR [21] is oriented to theorem proof checking within a math- 
ematical environment. Its input data language is closer syntactically to the usual 
mathematical one than a first-order logic language. 

The system THEOREMA [22] is being built as an integrate environment for 
solving mathematical problems. So, the issues of interaction between a user and 
the system, enriching an input data language, the development of natural-like 
proof search procedures, natural language formulation of proofs are dealt with 
as the system progresses. 

The system OMEGA [23] supports theorem proving in mathematics and 
mathematical education in which different units for “doing mathematics”, 
namely deductive procedures, both well-known general-purpose theorem provers 
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and speci^dized reasoners, and a computer algebra system £ire integrated. It pro- 
vides a structured knowledge base of mathematical theories and supports theo- 
rem proving as a human-oriented interactive process. 

The system ISABELLE [24] is an environment for interactive theorem prov- 
ing. It contains a mathematical knowledge base: a library of concrete mathemat- 
ics and various p£ickages for advanced mathematical concepts. It also attempts 
to support the kind of proving usual for mathematicians by reasoning “in the 
terms” of a given application domain. 

As the final goal of the QED project [25] is computer supported integration 
of existing mathematical knowledge, the problems of eidequate representation of 
mathematical data, particularly, of the development of appropriate lamguages 
for mathematical theories description, and efficient mathematical theorem vali- 
dation techniques arise. 



5 Conclusion 

Nowadays, there is observed a tendency of integration of various systems for 
representing and processing mathematical knowledge. Taking this fact into con- 
sideration, the authors hope that this paper and some theses on the AO pro- 
gramme can be helpful in attacking such problems as distributed automated the- 
orem proving, checking self-contained mathematical texts for correctness, remote 
training in mathematical disciplines, extracting knowledge from mathematiced 
papers, and constructing data bases for mathematical theories. 
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Abstract. In this work, the notion of provability for first order linear 
temporal logic over finite time structures, FO-LT , is studied. We 
show that the validity problem for such a logic is not recursively enu- 
merable, hence FO-LTL^'" is not recursively axiomatizable. 

This negative result however does not hold in the case of bounded validity, 
that is truth in all temporal models where the object domain is possibly 
infinite, but the underlying sequence of time points does not exceed a 
given size. A formula is defined to be A:- valid if it is true in all temporal 
models whose underlying time frame is not greater than k, where k is 
any fixed positive integer. In this work a tableau Cetlculus is defined, that 
is sound and complete with respect to fc-validity, when given as input the 
initial formula and the bound k on the size of the temporal models. The 
main feature of the system, extending the propositional calculus defined 
in [7], is that of explicitly denoting time points and having tableau nodes 
labelled by either expressions intuitively stating that a formula holds in a 
given temporal interval, or “temporal constraints”, i.e. linecir inequalities 
on time points. Brsinch closure is reduced to unsatisfiability over the 
integers of the set of temporal constraints in the branch. 



1 Introduction 

The model of time underlying Linecir Temporal Logic (LTL) is a discrete, linear 
sequence of states, usually taken to be bounded in the past and infinite in the 
future. In other words, the set of time points is isomorphic to IN. Different sets 
of temporal operators may be considered; mainly, future time operators (□: 
always, O: eventually, O' next, U: until), possibly restricting to the fragment 
with □ and O only, or both past and future time ones (“full” LTL). In the 
propositional case, several sound, complete and terminating proof-systems for 
LTL have been provided; see for instance [19,18,4,2]. As far as first order 
LTL, equipped with the infinite semantics, is concerned, it has been proved that 
no complete recursive axiomatization can exist (see [14,1,16]). This explains 
why relatively little work has been done on the proof theory of first order LTL. 
An exception is [2], where a first order non-clausal resolution system is defined, 
which is complete w.r.t. the class of the so called “formulae provable with a 
clock” . 

* This work has been partially supported by Agenzia Spaziale Itciliana (ASI) and CNR. 
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In this work, we consider first order LTL with a finite semantics, FO-LTL^"^, 
where time is assumed to be finite both in the past and in the future, while 
the object domain can be infinite. Its interest is due to the fact that there 
axe problems in Computer Science and Artificial Intelligence where only a finite 
fragment of the time sequence is of interest. For instance, in the case of a database 
evolving through time by means of updates, queries involving several states of 
the database, as well as dynamic integrity constraints, may be expressed by first 
order temporal formulae and the database history, from the initial state up to 
the current state, can be modeled by a finite time temporal interpretation [11, 
3,6]. Similarly, the specification of a planning problem may be expressed by 
means of a set of temporal logic formulae; since a plan is a finite sequence of 
actions, leading from the initial situation to the desired goal, it can be modeled 
by a finite time temporal interpretation [7,8]. 

In [7] the propositional version of LTL over finite time firames is studied and a 
labelled tableau calculus is defined and proved sound, complete and terminating. 
Obviously, however, propositional logic is expressively too poor for the above 
mentioned applications. In the case of FO-LTL^'^, decidability is clearly lost, 
but what about semi-decidability? In both [1] cind [16], the kernel of the proof 
techniques used to get the intrinsic incompleteness result for first order LTL with 
the infinite semantics is the possibility of encoding arithmetic into such a logic. It 
is apparent that such proofs cannot be adapted to the case of FO-LTL^"^, where 
a time frame is isomorphic to a finite initial segment of the natural numbers. In 
this work, however, we show that the validity problem for FO-LTL^'^ is still 
not recursively enumerable, by use of a different, emd quite natural, technique. 
As a consequence, no effective proof system for FO-LTL^"^ may exist. 

In the case of FO-LTL^"^, a weaker notion than validity can be considered. 
If k is any given positive integer, the notion of A:-validity of a formula is defined 
as follows: F is A:-valid iff it is true in ciny finite interpretation whose underlying 
time firame is not greater than k. Such a notion of bounded validity is still a 
useful one in several applications, for instance, in databases, where the question 
of the preservation of an integrity constraint Eifter a given number k of updates 
is important [5], and in planning, where the searched plan can be reasonably 
required not to exceed a given length. 

In this work we propose a labelled tableau CEilculus which is sound and com- 
plete w.r.t. the notion of bounded FO-LTL7*"-validity. The main difference of 
our approach, w.r.t. to “traditional” tableaux for LTL, is the use of labels on 
formulae, making it possible to embed semantical information in the calculus 
itself, namely the fact that a temporal frame is isomorphic to IN. Tableaux rules 
introduce linear constraints on world variables, so that specific £ilgorithms for 
solving integer constraints piay be used in order to check satisfiability. The idea 
of using linear constraints over integers in proof systems for propositional linear 
temporal logic (with the infinite semamtics) first appeared in [13] and [18, 17], 
and it has been revisited in the calculus proposed in [7,8]. In the present work, 
we extend the calculus of [7] to the first order case, obtaining a system that 
is sound and complete w.r.t. bounded validity (albeit sound, modulo a minor 
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modification, but obviously incomplete, w.r.t. validity in finite time frames tout 
court). 



2 Syntax and Semantics of FO-LTL^*'^ 

The language of linear temporal logic we consider includes the classical operators 
-',A,V, J. (always false), T (always true), V and 3, the unary modal operators 
□ (always in the future), and fi (always in the past), and the binary ones U 
(until) and <S (since). The alphabet contains a set P of predicate symbols and 
a set F of function symbols; all the function symbols in F are rigid.^ When the 
distinguished equality predicate = is considered, it is also taken to be rigid, in 
the sense that its interpretation (identity) does not change over time. 

The semantics of the language with predicate symbols in P and function 
symbols in F is defined as follows. A temporal frame T is a finite initial segment 
of the natural numbers, (0, • • • , fc); its elements cire called time points. A temporal 
interpretation Ad is a quadruple (T,D,Sp,Sf) where T is a temporal frame, 
D is a non-empty set (the object domain, possibly infinite), Sp is & mapping 
from P X {0, fc} to the set of relations on D such that, for any n-ary predicate 
symbol p with n > 0 and any i € T, Sp(p,i) is a subset of T>”, and Sp is a 
mapping from F to the set of (total) functions on D such that, for any n-ary 
function symbol / with n > 0, 5p(f) is a function from I?" to D. 

Let <T be a variable assignment, i.e. a function from the set of variables Var to 
the domain D. Given any term t, its vadue [t]M,<r w.r.t. the interpretation M amd 
the variable assignment a, is defined like in the classical case. Note that, since 
the lamguage is assumed to have only rigid functionaJ symbols, the interpretation 
of a term is the same at any time point. 

If A is a formula, the satisfiability relation |= A (to be read; A is satisfied 
by M w.r.t. the variable assignment a at the time point i) extends the classi- 
cal definition - with base cases j= p(ti,...,t„) iff {[t\\M,a,—,[tn\M.a) G 
6p{p,i), and a similar one treating equality - as follows: 

1. Ma^i\= QA iff for all j such that i < j, Mffj ^ A. 

2. t= ALIB iff 3j 6 T such that i < j and Maj }= B, and for any fc with 
i < k < j Ma,k t= -4- 

3. 1= 6a iff for all j < i, A. 

4. ^ ASB iff 3j G T such that j < i and Ad<r,j ^ B and for any fc with 
j < k <i Ada-, it }= A. 

Note that, due to the “strict” interpretation of the modcd operators (exclud- 
ing the present time point in both cases of future and past time operators), the 
weeik and strong “Next” and “Last” operators are definable. The O (eventu- 
cilly) and O (sometimes in the past) operators are also definable in terms of, 

^ Note that non-rigid function symbols may always be simulated via predicates. Thus, 
considering only rigid function symbols does not affect the expressive power of the 
considered logic. 




First Order Linear Temporal Logic over Finite Time Structures 



65 



respectively, U and S, as well as all the other standard temporal operators. The 
operators t 2 iken as primitive are all necessairy in order to have a negation normal 
form property, that is exploited in Section 4. 

When A is closed, we omit a and we just write Mj j= to mean that A 
is satisfied by the structure M at the time point j. Truth of a formula A is 
satisfiability of its universal closure in the initial state: a formula A is true in 
M (and A4 is a model of ^4) iff Mo [= Vxi, ..., Vx„A, where xi, • • • , x„ are all the 
free variables in A. Truth of sets of formulae is defined as usual. Satisfiability of 
a closed formula is truth in at least one model, validity is truth in all models.^ 
If A: is a positive integer and A a closed formula, A is said to be A:-satisfiable if 
it is true in some model whose temporal frame (0, ...,m} is such that m < k. A 
is fc-valid iff it is true in any model whose temporal frame (0, ..., m) is such that 
m < k. 

A formula is in negation normal form (nnf) iff no logical operator is in the 
scope of a negation. Two formulae A and B are equivalent iff for all M and 
i, Mi A \S. Mi 1= B. It can easily be shown that, under this strong notion 
of equivalence, every formula can be transformed into an equivalent formula in 
nnf. 



3 FO-LTLf^^ Is Not Semi-decidable 

In [1] it is proved that a complete recursive axiomatization for first order LTL, 
equipped with the infinite semantics, cannot exist, by exploiting the power of the 
future time temporal operators □ {non strict always, whose semantics includes 
the present time point) and Q (next). The proof m 2 ikes use of the notion of 
nl formulae, that is formulae having the form Vi?i . . . Vi?*VFi . . .'iFk'B, where 
B is some classical first order formula and 0, s, <,+, x, Rk,Fi,..., 

Fk> are all the predicate and function symbols in B. The complexity class 
includes all problems no harder than the truth problem for III formulae. What 
is shown is that the LTL validity problem is iZj -complete. The kernel of the 
proof consists in exhibiting a recursive embedding E of n\ formulae in LTL 
formulae, such that, given any n\ formula F, F is true if and only if E{F) 
is LTL valid. The definition of the mapping E uses the equality predicate 
=, one non-rigid constant a and only the (future) temporal operators □, the 
corresponding “non strict eventually” operator and Q (next) - of course, the 
use of a may be actually simulated by an appropriate use of predicate symbols. 
In [16] some interpretability results of classical arithmetical theories in temporal 
theories are proved and, as a corollary, two versions of the incompleteness result 
for first order LTL with the future time operators are obtained. Since, as it has 
been afterwards shown in [15], validity of first order LTL formulae containing □ 
and O niay be reduced to validity of formulae containing only □ as a temporal 

^ A different definition of validity can also be found in the literature: A is veilid iff for 
any temporal interpretation M and for any time point i, Mi [= A. However, it is 
easy to see that the two notions of validity Eure interdefinable. 
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operator, it follows that validity for first order LTL with equality and □ is not 
recursively enumerable. 

In both [1] cind [16], the kernel of the proof techniques used to get the in- 
completeness result is the possibility of encoding arithmetic into LTL. Thus, 
such proofs cannot be aidapted to the case of FO-LTL^"^, where a time frame 
is isomorphic to a finite initial segment of the natural numbers. 

However, it can be shown that the set of FO-LTL^*^ valid formulae is not 
recursively enumerable by reducing the complement of the hedting problem for 
Turing Machines to the validity problem for FO-LTL^'". 

Theorem 1. Given any Turing machine M and word w, a temporal formula 
Fm,w can be constructed, such that w FO-LTL^'’' -valid iff M never halts 
when given w as an input. 

Proof. The proof, whose details can be foimd in [9], bears some similarities with 
the proof of the fact that validity in finite domains of classical predicate calculus 
formulae is not recursively enumerable. However, in the case of classicail logic, 
the set of finitely satisfiable formulae is trivially recursively enumerable, so that 
in order to conclude that “finite validity” is not so it suffices to show that finite 
satisfiability is not recursive, by exhibiting a formula, for each Turing Machine 
M and input word w, which is finitely satisfiable if and only if M halts on w. In 
the case of LT L^'", the class of satisfiable formulae is not recursively enumerable 
either (since classical first order satisfiability can trivially be reduced to LTL^*" 
satisfiability), hence an explicit construction of a LTL^*" formula which is valid 
if and only if M does not hjilt on w must be accomplished. 

The proof can be sketched as follows. Given a deterministic Turing machine : 

M = {Q,E,A,qo,qf) 

(where Q is the set of states, S the fdphabet, A the treinsition table, qo the 
initial state and q/ the final state of the machine) and a word w in the alphabet 
of M, the language Lm,w of Fm^,„ contains; a consteint symbol 0 and a unary 
functional symbol s, the equality predicate and the binary relation symbol <, 
for each state qt 6 Q, the unary predicate symbol Qi, and, for each symbol 
Si € i7, the unary predicate symbol Sj. 

We say that M halts before time k if for some time n < k, M is in state 
qj at time n. We define a set of “intended interpretations” Af* of the language 
Tm,v )7 for each fc > 0 such that the machine M does not halt before time k, 
when given the word w as an input. The time structure in is (0, ..., k). The 
domain is IN. Ad* assigns zero to 0 and the successor function to s. Moreover, if 
O' is a variable assignment and t eT: 

1. N Qi(^) iff time t the machine is in state qi, scanning square 
number a(x) 

2. Al*ff,t ^ •Si(x) iff at time t the symbol sj is in square number <r(x) 

3. ^ X < y iff a{x) is less than a(y) 
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Given a Turing machine M with input w, the formula G m,w is the conjunction 
of a set of formulae describing the behaviour of M (i.e. the initial state, the 
transition table of M, standard properties of s and <, the fact that the machine 
can be in at most one state at a time and that time ends when the final state is 
reached). The only temporal operators needed in the encoding are □ (non strict 

always, including the present time point), defined as BF ^def F A DF, and Q 
(weak next), defined as QA =def OX V UAA. 

The formula Hm,w is □Vx-iQ/(x), intuitively stating, in the intended inter- 
pretations, that the machine never halts, and Fm,w is Gm,w Hm,w 

It can be proved that the formula Gm,w logic^Jly implies a description Dt 
of time t, for each time point t such that the machine M has not halted before 
time t (i.e. for any n = 0, ...,t - 1, M is not in the final state). Such formulae 
have the form where is a t-length sequence of O operators and A 

describes the symbols on the tape and which the state of the machine and the 
scanned square are at time t. 

The fact that if Fm,w is valid then M never halts when given w as an input is 
straightforward. For the converse, let us assume that M never halts when given 
tu as an input and however there exists a model Af of G m,w A ~'Hm,w Let m be 

the size of its temporal firame. Since M ^ -'□Vx-iQ/(x), there is a time point 
k < m such that Al* f= 3xQf{x) (note that, if the usual encoding of Turing 
Machines in classical logic is considered, in the corresponding (classical) model, 
the time point k could be a non standard number). By using the fact that, if M 
never halts when given u; as an input, Gm,w logically implies some description 
Dk of state k, it can be proved that Gm,w logically implies a closed formula of 
the form 0^*^Q/(p)i where p is some term of the form s(s(...(0)...)). Therefore 
1= 0^*^Q/(P)j where M'‘ is the intended interpretation of size k. It follows 
that at time k the machine M, when given in as an input, is in the final state 
Qf. I.e. M halts on w: contradiction. ■ 

Such a result has an impact also on first order LTL with the infinite se- 
mantics. Consider the first order fragment LTLpaat, containing only unary past 
time operators, and say that A is valid iff A holds at each time point of each 
temporal interpretation (in this case, the notion of validity defined in Section 2 
is not interesting). A rather straightforward application of Theorem 1 enables 
us to prove the following result: 

Theorem 2. First order LTLpast is not recursively axiomatizable. 

4 First Order Bounded Tableaux 

In this section, we propose a labelled tableau system to check fc-satisfiability 
of FO-LT formulae. It extends the system introduced in [7] for the propo- 
sitional case, whose purpose is to verify whether a set of formulae in nnf is 
finitely satisfiable (the restriction to nnf formulae is introduced only to simplify 
the presentation of the rules). The main feature of the system, that is inspired 
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by [13] eind [18], is that of explicitly denoting time points and having tableau 
nodes labelled either by expressions intuitively stating that a formula holds in 
a given temporal interval, or “temporal constraints”, i.e. linear inequ2dities on 
time points. Branch closure is reduced to unsatisfiability over the integers of the 
set of temporal constrciints in the branch. 

Let C = {start, finish, di,d 2 ,d 3 , ...} be a set of time constants (intuitively 
denoting time points, where start is the initial time point and finish the last 
one). A state is any expression of the form c + n, for c 6 C and n £ Z. The 
set of states is denoted by S. It is intended that C C E {e can be rewritten as 
c + 0). If s, f € 17, then s < t is a temporal constraint. A labelled formula is an 
expression of the form [s, t]A, where s,t £ E and A is a closed LT L formula in 
nnf (intuitively meaning that A holds at each point in the closed interval [s,t]). 
[s, s]A will be abbreviated by [s] A. 

Tableau nodes are labelled either by temporal constrciints or labelled formulae 
(in this last case they are called logical nodes ) . If 5 is a finite set of formulae in nnf 
and K is the singleton {finish < start + k} for some integer k >0 (representing 
the maximal size of the searched models), then tableaux for 5 U if are initialized 
with the set {[start]A j A € 5} U if . Nodes are expamded by application of the 
rules in Table 1, where the expressions s,t,s',t',.. are elements of i7, C is a set 
of time constants and P = {01,02,03,...} is a set of “fresh” par2imeters (whose 
role is to “give names” to elements of the object domain), treated as individual 
constants. Rules for the equality predicate may be added to the rules in Table 1, 
in a standard way. The set of nodes occurring above the line of a rule is called the 
premise of the rule, while the sets of nodes occurring below are the expansions 
of the premise. 

In the <5-rule, c is a fresh element of C and o is a fresh element of P. In the 
7-rule, u is any ground term occurring in the branch. Note that a sort of con- 
traction is implicit in the /d-rule and in the i5-rule; in both cases, the rightmost 
expansion of the rule contains a node with the same formula already occurring in 
the premise, even though the labels (intervals) of the nodes are different. More- 
over, logical formulae are in general not automatically “consumed” by expanding 
them; in particular, one may need to expand a universal formula several times 
by means of the 7-rule, as usual. 

The intuition behind the /3-rule is the following: either A is true in the whole 
interval (leftmost branch), or there exists a smallest time point c in the interval 
where A is false, hence B is true; since c is chosen to be the first of such points, 
A is true in the (possibly empty) subintervcil before it. Similcirly, the <5-rules can 
be read as stating that if 3xA(i) holds in the non empty interval [s,t], then 
either A(a) holds at each point of the interval for the Seime object a (leftmost 
branch), or A(a) holds for the same object A in a first segment [s,c] of the 
interval (possibly with c = s), and in the remaining p£ut 3xA(x) holds again. 

The interval and conflict resolution rules augment the set of temporal con- 
straints in the tableau. When the interval rule is applied to expand [s, t]A, we say 
that it is applied to the interval [s,t], independently of the formula A. This rule 
distinguishes the cases where an interval is empty or not. Its role is to provide 
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the preconditions for the application of the logical and resolution rules. Intu- 
itively, it is useless - £ind sometimes incorrect - to expand a node [s, t]A when 
the interval is empty and, given two nodes [s, t]p, [s',t']->p, there is no conflict 
to be solved if either [s,t] or [s',t'] (or both) are empty. Note that such a rule 
could be dispensed with, and a corresponding breinching added to most of the 
other rules, handling the case where the considered interval is empty. 

When the leftmost conflict resolution rule is applied, we say that it is applied 
to the intervals [s,t] and [s',t']. 



Logical rules 


a-rule 


/J-rule 


{/-rule 


□-rule 


(s, t]AAB 
a < t 


(a,t)i4VB 

a<t 






(a, t) A 
[a, <] D 


(a, c — 1) i4 
\c]B 

[c + l,tJi4VB 
cEC fresh 


[clB 

t + 1 <c 
[t-l-l,c-l]/l 
[a-l-l,tMvB 
cEC freah 


[a + 1,/tm'a/i] A 


7 -rule 


j-rule 


5-rule 


5-rule 


(a,t]Vxi4(*) 
a <t 


(a, t] 3xi4(x) 
a < t 


[a, t] ASB 
a < t 




[a,t]A(u) 


(a, t] A(a) a < c 

c<t 
(a,c]i4(a) 
(c+ l,/]3xA(x) 
cEC freah 
a E P freah 


[c]B 

c < a — 1 
[c+ l,a - 1]/1 
[a,t-l)i4VB 
cE C freah 


[atart, t — 1) /I 



Interval rule 


Confiict resolution rules 




s <t 






s' < t' 




[s, t] A 


[s,t]p 
[s', t'] -.p 


[s, t] X 


t < s — 1 s <t 


HHHH 


f < s- 1 



Table 1. Tableau expansion rules 



In the following, if 6 is a tableau branch, const{B) denotes the set of temporal 
constants (elements of C) occurring in B, including start and finish. 

Definition 1. Let C be a set of constants (including start and finish) and I 
a mapping from C to the natural numbers. The notation I* is used to denote 
the extension of I from states to the integers such that I*{c + n) = 1(c) +n for 
every c£ C,n 2Z. 
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1. Let T = (0, ..., k) he a finite sequence of integers starting at 0. X is a temporal 
mapping for C with range T if min{X{c) \ c £ C} = X{start) = 0 and 
mox{I(c) I c € C} = X{finish) = k. Hence, in particular, the range of a 
temporal mapping is always finite. 

2. If K is a set of temporal constraints over C, then X is a solution to K iff: 

(a) X is a temporal mapping for C; 

(b) if s <t £ K, then X*{s) < X*{t). 

3. Let B be a tableau branch, C — const{B) and M a temporal interpretation 
with domain T. 

(a) If X is a temporal mapping for C with range T, then (M,X) satisfies 
B ({M,X) B) iff: 

i. X is a solution to the set of temporal constraints occurring in B; 
a. if [a, occurs in B, then for every integer i, if i £T and X*{s) < 
i < X*{t), then Mi ^ A. 

(b) B is satisfiable tn M iff there exists a temporal mapping X for C such 
that (M,X) )=B. 

Definition 2. Let B be a tableau branch and K the set of temporal constraints 
occurring in B. B is open iff there exists a solution to K. Otherwise it is closed. 

The following definition captures the intuitive idea of tableaux where no 
wasteful expansions are ever performed. In particular, closed branches are never 
expanded. 

Definition 3. A tableau branch B is canonical iff: 

— The interval rule is applied at most once to each interval. 

— Every logical node is expanded at most once by means of a logical rule, but 
for nodes of the form [s, t]VxA, that can be expanded more than once. 

— If a node [s,f]Vx>l is expanded twice to, respectively, [s, t]/l(u) and [s,t]A(u'), 
via two applications of the 7 -rule, then the ground terms u and u' are syn- 
tactically different. 

— Each conflict resolution rule is applied at most once to each interval (second 
conflict resolution rule) or pair of intervals (first conflict resolution rule) 

— No proper initial subsegment of B is closed. 

A tableau is canonical iff all its branches are canonical. 

Definition 4. If B is a tableau branch, then B is complete iff there exists no 
canonical expansion of B. A tableau is complete if all its branches are complete. 

Obviously, like in classical tableau systems, a canonical open branch may be 
infinite, because of the possible reapplication of the 7 rule to a same node. More 
important, a priori, nothing ensures that a c^lnonical closed branch is finite. In 
fact, £ui infinite branch may be closed (i.e. unsatisfiable) because its infinite set 
K of constraints is unsatisfiable, yet amy finite subset of K has a (finite) solution. 
As an example, consider K = (J {q < Cj+i — 1 }: each finite subset of K has a 

ieiN 
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solution, however K is not finitely satisfiable. Hence, in principle, a canonical 
tableau might be closed (all its branches being closed) and yet infinite (at least 
one branch being infinite). However, in the next section, we show that, thanks 
to the presence of the initial constraint finish < start + k (setting a bound on 
the size of the searched models), closed tableaux are cilways finite. 

5 Properties of the Bounded Tableau Calculus 

In this section we establish the key properties of the calculus defined above. For 
space reasons, we do not give the full proofs here, which can however be found 
in [10], The system can easily be proved to be sound: 

Theorem 3 (Soundness w.r.t. F-Unsatisfiability). Let S be a set of closed 
formulae. If there exists a closed tableau for S U {finish < start + k} then S is 
k-unsatisfiable. A fortiori, if there exists a finite closed tableau for Su{ finish < 
start + A;}, then S is k-unsatisfiable. 

Conversely, any complete open branch describes some model of its initial 
formulae. Such a result needs some preliminary lemmas and definitions. First of 
all, the invertibility of cdl the logical rules with respect to their logical nodes can 
be established, in the following form; 

Lemma 1. 1. Let M = (T, cr) be a temporal interpretation and I a temporal 
mapping with range T. For every logical rule but the ■y-rule 

[s,t]F [s,t]F 

s < t s <t 

if {AA,X) t= Bi (for some i = 1,2,), then [= [sjtjF’. 

2. Let B be an open and complete branch of a tableau and let [s, t]Va;i4(a:) be a 
node in B, expanded via a 'y-rule. Let AA be a temporal interpretation such 
that its object domain is exactly the set of ground terms in the branch, and 
M{u) = u for any ground term u in B. Suppose that, for any labelled node 
[s, t]v4.(u), where u is a ground term, for each i in [7*(s),Z*(t)], AAi ^ A{u). 
Then, for any such i, A4i VxA{x). 

The following definition captures the idea of a sequence of applications of the 
^-rule, each of them expanding an expansion of the previous one, and the similar 
notion for the case of the 5-rule. 

Definition 5. Let B be a tableau branch. A fi-node in B is a node of the form 
[s,t]AV B. A 6-node in B is a node of the form [s,i\3xA{x). A p-chain in B is a 
sequence of p -nodes Xo,X\, ... such that, for every i > 1, Xi-i is expanded in B 
by application of the ff-rule and Xi is the P-node in the corresponding rightmost 
expansion. A k -length- P- chain is a finite P-chain Xq,Xi, ...,Xk+i, constituted 
by k + 2 nodes. 
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A node X in B is the root node of a /3-chain if it is the first node in a ^-chain 
and it is not itself obtained by an application of the fi-rule, i.e. there exists a 
maximal length 0-chain in B having X as its first node. 

The corresponding notions of S -chain, k-length-S-chain and root node of a 
6 -chain are defined similarly. 

A tableau branch may contain an infinite number of /?-chains or (J-chains. 
Moreover, in principle, each cha in might be of unbounded length. However, if 
the branch is satisfiable by a model M whose temporal frame is (0, ..., A), each 
chain has at most /: + 1 elements. This fact is stated by the next lemma, whose 
proof is similar to the corresponding one in [7]. 

Lemma 2. If B is a canonical open branch and its constraints have a solution 
I whose range is {0, ...,n), then B contains no k-length-0-chain or k-length-S- 
chain with k > n. 

The previous lemmas enable us to prove the following result: 

Lemma 3. If B is a complete and open tableau branch and X ts a solution of 
the set of temporal constraints occurring in B, then there is an interpretation A4 
such that (Ai,X) ^ B. 

Proof. Suppose that I is a solution for the constraints in B and let T = (0, ..., n) 
be the range of X. Let M be {T,D,Sp,6p) where D is the set of ground terms 
in B; for each i in T, sequence *i, ..,t„ € !>", and n-ary predicate p: ti, ..., t„ G 
Sp{p) iff there is a node [s,t]p(ti,. in B such that X*(s) <i< X*{t); for 
any n-ary function symbol / and i in T: Sp(f){ti, ...,t„) = /{ti, ...,tn). 

We need to prove that, for any labelled formula [s, € B such that 

[7*(s),/*(t)] ^ 0, and for any i £ [I*{s),I*{t)]: Mi ^ F (the case of an empty 
interval being trivial). In order to do that, we define an order < on the labelled 
formulae in B as follows. Given [s,t|F 6 B and [s',t']F' € B, we set [s,t]F < 
[s',t']F' iff either F is a strict subformula of F', or else [s, t]F is obtained by 
applying either a /3-rule or a (S-rule or a B-rule or an W-rule to [s',t']F'. 

Note that the order < is partial and all the labelled formulae [s,f]L in 
B where L is a literal are minimal for it. The order < is well founded, in order to 
prove it, the only delicate point is the second item in the definition of <. In fact, 
a priori, there might be an infinite decreasing <-chedn, whose starting point is 
either a /3-formula or a (5-formula or a 5-formula or a W-formula. However, since 

1 is a solution to the constraints in B (with at most n -f- 1 time points). Lemma 

2 rules out such a possibility. 

Thus, it suffices to prove by induction on <, that if [s, t]F G B then, for any 
i £ [I*(s), J*(t)], Mi ^ F. The inductive step uses Lemma 1. 

The proof may be slightly modified so as to hold eJso in the case where 
equality rules ^lre present. Of course, in order to define the domain of the model 
M, the set of ground terms needs to be quotiented w.r.t. equality. ■ 



As a consequence, we have the following result: 
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Theorem 4 (Quasi-Completeness w.r.t.A;-unsatisfiability). Let S be a set 
of formulae and k a natural number. If S is k-unsatisfiable, then there exists a 
closed tableau for S U {finish < start + A} 

The reason why we call such a result quasi-completeness, rather than complete- 
ness, is the following. As we have already remarked, a priori a closed branch 
might be infinite, because, in principle, we could have an infinite set K of tem- 
poral constraints in the branch, such that any finite subset of K has a (finite) 
solution but K itself has no solution. Thus, in principle, we could have an infinite 
tableau for a formula A that is indeed closed without being able to finitely rec- 
ognize this fact. Such an infinite closed tableau would not be a “refutation” since 
“being a refutation” is meant to be a recursive predicate. Thus, if infinite closed 
tableaux might exists. Theorem 4 would not imply that the tableau calculus 
is an effective complete proof system, enabling us to semidecide the fc-validity 
problem for FO-LTLf'^. 

However, thanks to the presence of the initial constraint finish < start k, 
any closed branch is indeed finite. In fact, if a branch contaiins an infinite set of 
constraints K and K has no solution, some finite subset of K has no solution. 
This property holds because: 

1. Since the constraint finish < start+k belongs to K, and, for each temporal 
constant c, the constraint c < finish (implicitly) belongs to K, any solution 
for K is necessarily upper bounded by k. 

2. If each finite subset of a denumerable set of constraints K has a solution 
that is upper bounded by k, then K itself has a solution upper bounded by 
k. 

The second fact is a corollary of a more genereil property: 

Let K be a denumerable set of constraints and k a function from the set of 
constants C occurring in K to the natural numbers. If any finite subset K' of K 
has a solution X such that, for any constant c & K' I{c) < k{c), then K has a 
solution X~^ such that, for each constant c& K, X~^{c) < k{c). 

Proof. This property can be proved by standard combinatorial techniques. Let 
Ci,C 2 , ... be an enumeration of the set C of constants appearing in K. Let ei, C 2 , ... 
be an enumeration of the elements of K-, such an enumeration induces an enu- 
meration K\,K 2 , ... of finite subsets of K, where Ki = {ei, ..., e;}. Say that the 
finite set of constants appearing in Si is C<. For each i > 1, by hypothesis there 
is some solution Jj of K{ such that 1(c) < k{c) for any constant c £ Ci; let us 
extend such a solution to a function X'i from C to the natural numbers, by 
assigning any value to the constants in C — Cj. This operation can be visualized 
like the construction of a table, possibly having an infinite number of lines and 
an infinite numbers of columns: 





Cl 


C2 


C3 




Ki 


X'l(Cl) 

^2(C1) 


li(C2) 


Xi(C3) 

Aios) 




K2 


z 
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where the labels of the columns are the constants in C and the labels of the lines 
are the finite subsets Ki. Any line labelled by A',- corresponds to the codomain 
of the function T.\ and, for each j such that Cj £ Ci, the Ccise {i,j) actually 
contains the value where li is a “local” solution for Ki. Given any j, 

let us call “OK cases” of the column j those cases {i,j) in the column such 
that (i, j) contains Xi(cj). In order to obtain the required global solution X"*", its 
values are defined by induction on j, as follows. 

For J = 1, since the vaJues appearing in aJl the OK cases of the first column 
are bounded by k{ci), and there are infinitely many such OK cases, there is at 
least a number rii which appears infinitely often in these cases. Set X^(ci) = ni, 
then update the table by erasing each line i such that the content of the case 
(i, 1) / ni. (Note that an infinite numbers of lines is left). 

For j > 1, the table updated at the previous stage is considered. Again, there is 
at least a number Uj which appears in all the infinitely many OK cases of the 
i-th column. Set = nj, then “erase” eaich line i such that the content of 

the case (i,j) 5^ Uj. By construction, X^ satisfies each constraint in C, and, for 
any c G C, /+(c) < fc(c). ■ 

Hence, as a consequence of Theorems 3 and 4 we obtain: 

Theorem 5. Let S be a set of FO-LTL^^'' formulae, k be any positive integer 
and K = {finish < start + fc}- 

1- If there exists a closed tableau for SUK, such a tableau is necessarily finite 
and S is k-unsatisfiable. (Soundness with respect to k-unsatisfiability) 

2. If S is k-unsatisfiable, then there exists a finite closed tableau for S U K. 
( Completeness with respect to k-unsatisfiability) 

The tableau system defined in this work is not sound w.r.t. validity tout court 
obviously, a formula A might be true in all the temporal interpretations whose 
time structure is bounded by a given number k without being valid. However, we 
can slightly modify the tableau definition, simply removing the initial constraint 
finish < start + k, to obtain a calculus that is indeed sound w.r.t. validity: if a 
closed tableau for -<A exists, then -lA is unsatisfiable, i.e. A is valid. 

However, in the unbounded cadculus, a closed tableau for S may contain 
an infinite branch. For instance, take S to be the unsatisfiable set of formulae 
{□3a:p(x)), OV3/->p(y)}. Because of the implicit contraction in the J-rule, the 
rightmost brandi of any tableau for S will contain an infinite set of constraints 
of the form {ci + 1 < C2 < finish, C2 + 1 < C3 < finish, ...}: the absence of the 
initial constraint on the size of the semched model enables us to continue the 
construction of a J-chain ad libitum. Each finite subset of such a set of constraints 
has a solution, but the set itself has no (finite) solution at all. Thus, although 
the tableau for S is closed, such a tableau is not a refutation of S. 

Hence the unbounded calculus is incomplete w.r.t. to validity. Note that the 
analogous of Theorem 4 holds for the unbounded calculus: given any set S of un- 
satisfiable formulae, a closed tableau for S does exist. Yet, this does not provide 
a semidecision procedure for validity. 
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6 Conclusions 

The contribution of this paper is twofold: we report a negative result on 
FO-LTL-f’", i.e. first order linear temporal logic over finite temporal frames, and 
prove a positive one. The negative result shows the impossibility of defining an 
effective proof system that is complete with respect to FO-LTL^”' validity. The 
analogous result for “standard” LTL equipped with future time operators had 
been proven in [1] and [16]; however, such proofs are not immediately exploitable 
in the case of LT since they essentially depend on the possibility of encoding 
arithmetical formulae in LTL. As a byproduct of our negative result for LTL^"^, 
first order LTL- validity of formulae containing only past time operators is not 
recursively enumerable either. As far as FO-LTL^'" with the □ operator only 
is concerned, it would be interesting to check whether a result analogous to [15] 
holds (at a first check, the amswer seems to be positive, but the details of the 
proofs are still to be worked out). 

On the positive side, we have defined a labelled tableau calculus which is 
sound and complete w.r.t. bounded validity, that can be the basis for the con- 
struction of theorem provers for applications where information is needed about 
the validity of a temporal formula in all models where the number of time points 
does not exceed a given bound. This is the case, for instance, of dynamic con- 
straint management in databases, where the question of the “safety” of a given 
sequence of updates - of a fixed length - with respect to a given constraint is im- 
porteint, as well as of the search of bounded length plans. The tableau calculus 
we propose makes use of annotations on formulae, indicating the time intervals 
in which formulae are taken to hold, hence it is formulated in a labelled deduction 
style, similarly to [13, 18]. In the case of linear temporcil logic, the use of labels 
enables us to encode, inside the proof system itself, the information that time 
points “behave” as natural numbers. With respect to non labelled calculi (see 
for ex£unple [19]), such an approach presents, in principle, the following main 
advantages: the possibility of “immediately executing” eventualities (i.e. formu- 
lae with an existential commitment), without the need to systematically choose 
the specific point where the considered formula must hold, cind a symmetric 
treatment of past and future time operators, without the need of a preliminsiry 
transformation of formulae into a “separated” form (see [12] and [4]). 
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Abstract. We relate game-based model checking and model checking 
via 1-letter simple weak alternating Buchi automata (ISWABA) for the 
alternation-free p-calculus. Game-based algorithms have the advantage 
that in addition to checking whether a formula is valid or not they de- 
termine a winning strategy which can be employed for explaining to the 
user why the formula is valid or not. ISWABA are a restricted class of 
alternating Biichi automata and were defined in [BVW94]. They admit 
efficient automata-based model checking for CTL and the alternation- 
free /i-calculus. We give an interpretation for these automata in terms of 
game theory and show that this interpretation coincides with the notion 
of model checking games for CTL and the /;i-calculus. Then we explain 
that the eflScient non-emptiness procedure for ISWABA presented in 
[BVW94] can edso be understood as a game-based model checking pro- 
cedure. Furthermore, we show that this algorithm is not only useful for 
checking the validity of a formula but also for determining a winning 
strategy for the winner of the underlying model checking game. In this 
way we obtain a linear time algorithm for model checking geunes. 



1 Introduction 

Verification of concurrent systems is one of the main research issues in Computer 
Science. However, more important than a correctness statement about a system 
is a hint why a certain feature is not satisfied. Hence, instead of verifying, de- 
bugging is more important in developing concurrent systems ([CW96]). Model 
Checking has been proven to be a powerful tool for verifying systems. Given 
a system A4 and a property expressed as a logical formula (p, model checking 
answers the question whether Af is a model for ip. While every model checking 
algorithm answers this question, an algorithm suitable for practical applications 
has to have additional characteristics: 

— it must be local, i.e., the algorithm must construct the system, usually speci- 
fied by some equation system over some process algebra, on demand. In this 
way, even bugs in an infinite state system may be found 

— it must support debugging 
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The first item is well understood and supported by several model checking al- 
gorithms. Especially automata-theoretic based model checking algorithms admit 
a local implementation. Translating linear temporal logic formulas to automata 
has proven to be an effective approach for implementing linear-time model- 
checking ([VW86,DGV99]). On the other hand, for branching time temporal logic, 
automata-theoretic techniques have long been thought to introduce an exponen- 
tial blow-up for the model checking procedure. However, in [BVW94,KVW98] 
1-letter simple weak alternating Biichi automata (ISWABA) were introduced 
which are suitable for model-checking the logic CTL ([Eme90]) and the alterna- 
tion free fragment of the /u-calculus in linear time ([Koz83,Sti92]). 

Regarding the second requirement for practiced model checking algorithms, 
it is not clear how to support a user with debugging information in general . In 
case of a linear time logic, there is always one run violating a property \i tp 
does not hold. However, for branching time logics or the well known /z-calculus 
one single counterexample may not exist since you can express properties like 
“there is a run such that ...” and if such a property is not satisfied, the set of 
all runs of the system is a counterexample. It is obvious that a set of runs is 
difficult to be visualized to the user. 

Stirling ([Sti95]) introduced game based model checking as a technique suit- 
able for debugging. He related model checking to games of two players, Bloise 
and Vbelard, and showed that a formula <p is valid if and only if Bloise has a 
winning strategy, i.e., she has a chance to win the corresponding game regard- 
less how Vbelard plays. A game based model checking algorithm determines a 
winning strategy for either Bloise or Vbelard (depending on the V 2 ilidity of </?). 
Suppose the model checker determines that (p does not hold. If you try to find 
this error in your design you can play a game against a verification tool in which 
you are Vbelard and the tool is Bloise. If it is your turn you c£m move the system 
into a successor state which you think will vedidate the formula. K it is Sloise 
turn the system will pass into a state falsifying tp. In this way you interactively 
pass through the states of your system. Given the strategy, the tool wins and 
shows you in this way why your design is not correct. 

In this paper, we argue that the notion of games and ISWABA have strong 
similarities. We explain how ISWABA can be interpreted in terms of games. It 
turns out that a run of a ISWABA corresponds to plays of a corresponding game 
from Bloise’s point of view. We introduce the notion of a co-run of an alternating 
Biichi automaton representing Vbelard’s point of view. We show that a ISWABA 
has either accepting runs or co-runs. We show that a ISWABA has an accepting 
run iff 31oise has a winning strategy and that it has an accepting co-run iff 
Vbelard has a winning strategy for the corresponding game. Furthermore, we 
rephrase the algorithm for checking non-emptiness of ISWABA from [KVW98] 
and show that it can also be used to determine a winning strategy for the winner 
of the game. 

Furthermore, we show that the notion of model checking games introduced by 
Stirling for the alternation free fragment of Kozen’s p-calculus corresponds to the 
game interpretation of ISWABA. Given a transition system and a property, we 
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define a corresponding ISWABA such that an accepting run (co-run) of the au- 
tomaton can directly be interpreted as winning strategy for 31oise (Vbelard, resp.) 
of the corresponding model checking game. In this way, we obtain a ISWABA- 
based, linear-time algorithm for model checking games for the alternation free 
fragment of the /t-calculus. Hence, it meets the best known bounds for model 
checking this fragment ([CS92]) and is more efficient than the game-based algo- 
rithm for the full /i-calculus by Stirling and Stevens ([SS98]) which is quadratic 
for the alternation-free part of the logic. 

In the next section, we recall the definition of the /i-calculus and explain 
game based model checking. Section 3 introduces alternating Biichi automata, 
ISWABA and gives their interpretation in terms of game theory. Furthermore, 
we explain how the algorithm presented in [KVW98] can be used to determine 
winning strategies. ISWABA for the alternation free /i-calculus are introduced 
in Section 4 and it is shown that the notion of model checking games and games 
for ISWABA coincide. Finally, we summarize the paper. 

2 The /i-Calculus 

This section recalls the syntax and semantics of the /i-calculus and introduces 
corresponding model checking games. The definitions cover the full /i-calculus. 
In the next section, we restrict ourselves to its alternation-free fragment. 



2.1 Syntax and Semantics 

Let Var be a set of propositional variables and A a set of actions. Formulae 
of the modal /t-calculus over Var in positive form as introduced by [Koz83] are 
defined as follows: 

ip ::= true | false \ K \ /\ (p 2 \ ViV ^2 \ [K]p \ {K)ip | vX.ip | piX-tp 

where X G Var and K ranges over subsets of actions A. ^ 

A formula ip is normal if every occurrence of a binder fiX or I'X in ip binds 
a distinct variable, and no free variable AT in is also used in a binder p.X or 
vX. It is obvious that every formula can easily be converted into an equivalent 
normal formula by renaming bound v^^:iables. If a formula ip is normal, every 
variable X oi (p identifies a unique subformula nX.tjj or vX.ij) of ip where A is a 
free variable of ij}. 

Let T = (5, T, K, so) be a labeled transition system where 5 is a finite set of 
states, K a set of actions and T C S x K x S denotes the transitions. As usual, 
we write s A t instead of {s,a,t) G T. Furthermore, let sq G S' be the initial 
state of the transition system. We employ valuations V mapping a variable X 
to a set of states V(A)CS. Let V[A/15] be the vciluation which is the same as 

^ Note that we defined a slightly generalization of Kozen’s logic cis sets of actions 
insteEid of single actions appear in modalities ([Sti96]). {—}p is an abbreveation for 
{A)p 
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V except for X when V(X) = E. Then the satisfaction of a formula wrt. to a 
transition system T and a state s € 5 is inductively defined as follows: 

(T, s) true 

{T,s)\=vX iffsGVW 

(T, s) t=v A V’ ifif (T, s) and (T, s) \=v ‘4’ 

(T, s) |=v V? V V' iff (T, s) |=v V or (T, s) |=v 4> 

(7", s) |=v [K]<p iff Va G /f if s A t then (T, t) H> 

[T, s) |=v {K)(f iff 3a G /iT s A t and (T, t) ^=v if 
(T, s) t=v (iX.if iff3E C2^,s € E and Vt 6 E : (T, t) hv[x/£] f 
(V, s) t=v iff VE C 2^ if s ^ £ then 3t e S : t ^ E 
and (T, t) \=v[x/E] V> 

In the following, we abbreviate (T, So) |=v by T (= </? for a formula (p 
without any free variables. We will use variables like tp,rp,... for formulae, 
for states and a,b,... for actions of the transition system under consideration. 
K will denote a set of actions. A <r is used for either fi or v whenever the sort of 
the fixed point does not matter. 

2.2 Games for the ^-calculus 

Given a transition system T = (5, T, K) and a formula <p we are able to define 
the model checking game. Its board is the Cartesian product of the set of states 
eind of the set of subformulaie S x Sub(ip). The latter is defined by; 

5u6(true) := {true} 

5u&(false) := {false} 

Sub{X) := {X} 

Subl<fi V Ip) := {(fVtp} U Sub{ip) U Sub{4>) 

Sub{ip A ‘tp) {y’ A V"} U Sub{(f) U Sub{ip) 

S'u6([A']<,o) := {[A:](^} U Sub{<p) 

Sub{{K)(p) := {(/f))^} U Sub{<p) 

Sub{aX.(fi) := {<rX.</?} U Sub{(fi) 

The game is played by two players, nzunely Vbelard (the pessimist), who 
wants to show that T \= <p does not hold, whereas Bloise (the optimist) wants 
to show the opposite. 

The game can be viewed as moving pebbles on both components of the game 
board. The idea of the playing rules is already given by the semantics of the 
/r-calculus. The question whether a state fulfills a formula can be answered by 
inspecting its successors and/or the subformulae. Therefore the model checking 
game is a (possibly infinite) sequence G(s,ip) = Co Ci — ^pi C 2 — >p 2 ••• 
of configurations, where G 5 x Sub{ip) for all i. The second component of 
a configuration Ci determines the player pi who is to choose the next move. 
Vbelard does universal ->v-naoves, Bloise does existential -> 3 -moves. That means, 
whenever 

1. Ci — (s, false), then the game is finished. 
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2. Ci = (s,i/'i A then Vbelard chooses either tp = tpi or ip = ip 2 and 

= (s, ip). 

3. Ci = (s, [K]ip), then Vbelard chooses a transition s A f with an action a E K 
and Ci+i = 

4. Ci = {s^vX.ip), then Cj+i = (s,ip). ^ 

5. Cj = (sjtrue), then the game is finished. 

6. Ci = {s,ipi V ^> 2 ), then Bloise chooses either (p = or ip = ip 2 and Ci+i = 

(«,¥>)• 

7. Cj = (s, {K)ip), then 31oise chooses a transition s A t with an action a E K 
and Ci+i = 

8. Ci = then Ci+i = ^ 

9. Ci = (s,X) and (p = aX.rp is the fixed point formula belonging to X, then 
Ci+i = {s,ip). 

As the moves 1,4, 5, 8 and 9 are deterministic no player needs to be charged 
with them. With regard to the winning strategies and the algorithm we will 
speak oi^belard-moves in cases 1-4 and 9 if cr = /i, and 3loise-moves in all other 
cases. 

Unlike traditional Ehrenfeucht-FVaisse games the players need not move al- 
ternately. The next turn is not determined by the player, but by the current 
subformula p>. 




Fig. 1. A small transition system 



Let us consider an example. We present three possible plays for the game 
given by the transition system in Figure 1 and the formula ip = p,X.{—)X V 
(a)true:^ 



Cl{SQ,ip) 


II 

Cft 

0 


-^3 


(so, (-)X V (a)true) 






^3 


(so, (a)true) 






-t3 


(si.true) 


C2(so,<p) 


II 

0 


->3 


(so, (-)A V (a)true) 






->3 


(so,(-)X) 






^3 


(si,X) 






-tv 


(si,ip) 






->v 


(si,(-)X V (a)true) 






->3 


(si , (a)true) 



^ Note that in [Sti97] Stirling uses slightly different rules for the unwinding of the fixed 
point formulae. 

® <p expresses the possibility to do an a-ciction somewhen. 
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- Gsisoyffi) = iso,tfi) ->3 

^3 

->3 

->3 



(so,(-)X V (a)true) 

(%,(-)^) 

{so,X) 

(so,‘p) 



It is cle^lr that the first play is won by 31oise because she forced it to end in a 
true-configuration. It is also clear that Vbelard wins G 2 , because 31oise became 
stuck cis there is no a-action possible in state Sj . 

The question is now: Who wins the third game that has an infinite loop? As 
the game contains infinitely many ^-configurations it is equivalent to an infinite 
unfolding of a least fixed point formula. That means the fixed point could not be 
computed (otherwise the game should be of finite length). Least fixed points are 
specicd (second order) 3-quantifiers. So 31oise — who should do correct existential 
moves — failed. Therefore Vbelard wins G 3 . 

In general, Vbelard wins a game G iff 

- G = Co, . . . , C„ and C„ = (s, false) for any state s. 

- G = Co, ... ,C„ and G„ = (s, (K}(p) and : s A t for any a e K. 

- C = Co, . . . has infinite length and the outermost fixed point which is un- 

wound infinitely often is a ^-fixed point. 

Dually, 31oise wins a game G, iff 

- G = Co, . . . ,C„ and C„ = (s,true) for any state s. 

- G = Co, . . . ,Cn and C„ = (s, [K\^) and : s A t for any a G K. 

- G = Co,... has infinite length and the outermost fixed point which is un- 
wound infinitely often is a /^-fixed point. 

The example showed that a game given by a transition system and a formula 
Ccui have several plays and these need not have the same winner. In order to use 
the gcimes for model checking we must avoid such veiriant plays. (Note that 31oise 
can always win every game for our example if she moves as it was done in G\ .) 
That lezids to the notion of a winning strategy. A strategy is a set of rules for a 
Player p telling her or him how to move in the current configuration. A winning 
strategy is a set of rules allowing p to win every game if she/he plays regarding the 
rules. The relation between winning strategies and model checking is expressed 
by the following theorem. It means that the model checking problem for the 
/i-calculus is equivalent to finding a winning strategy for one of the players. 

Theorem 1 ([Sti96]). Let T be a transition system with starting state s and 
let p he a p-calculus formula. 

1. {T,s) 1= => 3loise has a winning strategy for every game starting at {s,(p). 

2. (T,s) ^ (fi ^ Wbelard has a winning strategy for every game starting at 
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In Section 4 we will present an algorithm for determining a winning strategy 
for either 31oise or Vbelard for model checking games for the alternation free 
//-calculus. As a corollary, we obtain a proof for the last theorem (restricted to 
formulas of the alternation free fragment). 

All possible plays of a game are captured in the game graph. It is the graph 
which nodes are the elements of the game board and which arrows are the 
possible moves of the players. A game graph is shown in Figure 2 (Section 4). 

In the following, we restrict ourselves to the alternation free /t-cadculus which 
is the sublogic of the //-calculus such that no subformula t/; of a formula <p contains 
both a free variable X bound by a // in ^ as well as a free variable Y bound by 
&v imp. 



3 Alternating Biichi Automata 

Nondeterminism gives an automaton the power of existential choices: A word w 
is accepted by an automaton iff there exists an accepting run on w. Alternation 
gives a machine the power of universal choices and was studied in [BL80,CKS81] 
(in the context of automata). In this section we recall the notion of alternating 
automata along the lines of [Var96] where alternating Biichi automata are used 
for model checking LTL. For an introduction to Biichi automata we refer to 
[Tho90]. 

For a finite set X of variables let B'*'{X) be the set of positive Boolean for- 
mulas over X, i.e., the smallest set such that 

-AC B+(A) 

— true, false 6 B~^{X) 

- e B+{X) => ip Aip e B+{X),<p\/ xp e B+{X) 

The dual of a formula ip € B~^{X) denoted by Tp is the formula where false 
is replaced by true, true by false, V by A and A by V. 

We say that a set Y CX satisfies a formula >p € B~^{X) {Y ^ </?) iff (/? evaluates 
to true when the vciriables in Y are assigned to true and the members of A\F 
axe assigned to false. For example, {gi , 53 } as well as {gi , 94 } satisfy the formula 
[qi V 52 ) A {qs V 54 ). 

Let us consider a Biichi automaton (BA). For a state q and an action a 
let {gi,...,g*} = {g' | g A g'} be the set of possible next states for (g, a). 
The key idea for alternation is to describe the nondeterminism by the formula 
gi V • - • V g* G S+(Q). Hence, we write g A gi V • • ■ V g*. If fe = 0 we write 
g A false. An alternation is introduced by allowing an arbitrary formula of 
B~^(Q). Let us be more precise; 

Definition 1. An Alternating Biichi Automaton (ABA) over an alphabet E is 
a tuple A = (Q,S,qo,J^) such that Q is a finite nonempty set 0 / states, qo € Q 
is the initial state, E C. Q is a set of accepting states and 6 : Q x E B'^{Q) 
is the transition function. 
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Because of universal quantification a run is no longer a sequence but a tree. 
A Q-labeled tree r is a pair {t, T) such that t is a tree and T : nodes{t) -> Q. As 
T is not necessarily one to one we identify nodes in the following czinonical way: 
The root is marked with e, if a node s is marked with w then a child s' labeled 
with q is marked with wq. 

For a node s let |s( denote its height, i.e., (£| = 0, |t«g| = Iwj + 1. A branch 
of r is a maximal sequence jd = so,Si, . . . of nodes of r such that so is the root 
of r and Si is the father of s<+i, i € IN. The word induced by (for short fi's 
word) is the sequence of labels of /3, i.e., the sequence T{so), T{si), . . . 

A run of an alternating BA A = {Q,S,qo,^) on a word w = aooi ... is a 
(possibly infinite) Q-labeled tree r such that T{e) = qo and the following holds: 

if X is a node with |x| = t, T(x) = q and S(q,ai) = q) then either (p € 

{true, false} and x has no children or x has k children xi, . . . , xt for some 

k < IQI and {T(xi), . . . ,T{xk)) satisfies ip. 

The run r is accepting if every finite branch ends on true (i.e., 6{T{x), a,) = true 
where x denotes the maximum element of the branch wrt. the height and i 
denotes its height) and every infinite branch of r hits an element of T infinitively 
often. 

It is obvious that every Biichi automaton can be turned into an equivalent 
(wrt. to the accepted language) alternating Biichi automaton in the way de- 
scribed above. The converse is also true and is described for example in [V2ur96]. 
However, the construction involves an exponential blow up. Hence, checking for 
the emptiness of the language of an ABA by transforming it into an equivalent 
BA is not feasible for real world model checking applications. However, for a sub- 
class of ABAs suitable for our needs a linear non-emptiness decision procedure 
can be given. 

An ABA A = {Q,S,qo,T) over an alphabet S is called 1-letter iff the al- 
phabet contains just one letter, i.e., jl7| = 1. A formula tp € B'*‘(X) is simple if 
it is either atomic, true, false or is either a conjunction or disjunction of the 
variables of X. That means it has the form xi * • • • * x* where ♦ G {V, A) and 
Xj 6 X. An ABA is simple if all its transitions are simple. 

An ABA is called weak iff there exists a partition of Q into disjoint sets 
Qi) -iQm such that for each set Qi, either QjC.F, in which case Qt is an 
accepting set, or QiH J- =0, in which case Qi is a rejecting set. In addition, 
there exists a partial order < on the collection of the Qj’s such that for every 
q G Qi and q' € Qj for which q' occurs in S(q,a) for some a G X, we have 
Qj S Qi- Thus, trcinsitions from a state in Qi leeid to states in either the same 
Qi or a lower one. It follows that every infinite path of a run of a weak ABA 
ultimately gets “trapped” within some Qi. The path then satisfies the acceptance 
condition if and only if Q, is an accepting set. Indeed, a run visits infinitely many 
states in iff it gets trapped in an accepting set. 

In the following, we will take a closer look on 1-letter simple weah alternating 
Biichi automata (ISWABA) which were first considered in [BVW94]. While on 
the first sight, they seem to be a quite unnatural restriction of ABA, they have 
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a nice interpretation in terms of games. Before we come to this, we need a few 
basic insights of ISWABA. 

A co-run of an ABA A = (Q,S,qo,J^) on a word w = a^ai ... is a (possibly 
infinite) Q-labeled tree r such that T(e) = qo and the following holds: 

if |a;| = i, T{x) = q and S(q,ai) = <p then either ip £ {true, false} and 

X has no children or i has k children ii,...,i* for some k < jQ| and 

{T(ii), . . . , T(x*)} satisfies 'ip (the dual of ip). 

The co-run is accepting if every finite branch ends on false (i.e., S{T{x),ai) = 
false where x denotes the maximum element of the branch and i denotes its 
height) and every infinite branch of r does not hit an element of if infinitively 
often. 

Let E = {a}. We will show in the following that a ISWABA has an accepting 
run if and only if has no accepting co-run. Then it is obvious that the language 
accepted by a ISWABA is either empty or {«“} and the co-l 2 uiguage is {a*^} or 
empty (resp.) where the co-language of a ISWABA consists of the words of 17“ 
for which an accepting co-run exists. Hence, the most interesting question for 
ISWABA is whether it accepts a word or not, i.e., whether is has an accepting 
run or an accepting co-run on a“. 

However, before we will present an algorithm for checking the emptiness we 
are going to interpret ISWABA A = {Q, 5, qo, T) over {a} in terms of games. As 
in the last section, let 31oise be the optimist and Vbelard the pessimist. Bloise 
wants to show that A accepts o“ while Vbelard wants to show the contrary. 
Hence, Vbelard wants to show that there is an accepting co-run. What are the 
rules of the gcime? The hoard consists of Q. A configuration is a state q & Q. 
Consider ip — 6{q,a). If (p = true then 31oise has won. DuaJly, if ip = false 
Vbelard has won. If ip = qiV ■■ - Vqk 31oise must pass the pebble to one of the qi. 
Dually, if <p = qi A- ■■ Aqk then Vbelard has to pass the pebble to one of the gi."* 
If the play is going on forever, then 31oise wins if she passes infinitively many 
q E Otherwise, Vbelard wins. 

Now we are going to show that zu;cepting runs (co-runs) “capture” winning 
strategies for 31oise (Vbelard). Suppose that there is an accepting run for o“. 
Then, every branch of the run can be understood as a play which 31oise wins. It 
is obvious that every sequence of configurations of every branch of an accepting 
run is a play according to the rules. FVirthermore, if the branch is finite, it 
corresponds to a finite play. Since the run was accepting it ends on true. Hence, 
31oise has won. If the branch is infinite, the run is accepting only if infinitively 
many final states are visited. So again 31oise wins. If there is an accepting co-run, 
every branch can also be understood as a play. However, these plays are won 
by Vbelard. Either the branch is finite in which case it ends on false. Then 
Vbelard wins. If the branch is infinite, the accepting condition requires to visit 
states from !F only finitely often. Hence, Vbelard wins also these plays. 

More specifically, a run on a“ cam be understood as a winning tree for 31oise 
and a co-run can be understood as a winning tree for Vbelard. A winning tree 

* We do not bother ourselves with discussing who has to move for the case A: = 1 




86 



Martin Leucker 



for a player P is a tree, such that the nodes are labeled by configurations of the 
game and every configuration g is a parent of q' only if there is a possible move 
from q to q'. Furthermore, the root is labeled by the initizJ configuration of the 
g6une. In addition, if g is a configuration and q\,. ■ ■ ,qk are all possible moves 
of the opponent then q has at least k children labeled by gi , . . . , g* (and every 
label occurs). Hence, a winning tree for player P subsumes all possible moves of 
the opponent. 

Suppose that there is an accepting run on a“ . Then Vbelard has the possibility 
to choose in a configuration g with S{q, a) = gi A • • • A g* how to proceed. 
However, due to the definition of a run there are at least k successors labeled by 
gi , . . . , gt and for every successor it either ends by true or it is a branch visiting 
a final state infinitively often. Hence, given an accepting run for a“ 31oise has a 
winning strategy by playing according to an tirbitrciry branch of the tree. Dually, 
suppose that there is am accepting co-run for . Then 31oise has the possibility 
to choose in a configuration g with <5(g, a) = (p with </> = gi V • • • V g* how to 
proceed. However, due to the definition of a co-run, there are at least k successors 
labeled by gi, . . . ,g* and for every successor it either ends by false or it is a 
branch visiting every final state only finitely often. Hence, Vbelard has a winning 
strategy by playing according to an arbitrary branch of the tree. 

On the other hand, a winning strategy for 31oise (Vbelard) gives rise to an 
accepting run (co-run) on a'*' . Suppose that 31oise has a winning strategy for the 
game starting in the initial configuration go. By considering the possible moves 
of Vbelard and 31oise a run can be defined inductively. If the game ends in a 
configuration g then S(q,a) = true. Then a new node labeled by true is added 
as a child for g in the run tree. If it is Vbelard’s turn in the configuration g 
let {gi, . . . ,gfc} be the possible moves. This means that <5(g,o) = gi A • • • A g*. 
New nodes labeled by gi to g^ can be added as children for g in the run and the 
configurations gi . . . g* are considered inductively. Note that {gi , . • • , g*} satisfies 
S{q,a). If it is 31oise’s turn in the configuration g then her winning strategy 
identifies a move g'. Add the new node labeled by g' as a child for g. Because 
of the rules of the game, this includes that {g'} satisfies S{q,a). Note that the 
run defined in this way is well-defined. Furthermore, it is accepting. Every finite 
branch ends on true. Every infinite branch captures a possible gcime where 31oise 
plays according to her winning strategy. So she wins which means that a final 
state is passed infinitively often. The dual iirgumentation shows that a winning 
strategy for Vbelard gives rise to a co-run for the automaton. 

Now we are going to give a sketch of an adgorithm which decides whether the 
language of a ISWABA A is empty or not. Hence, it determines whether there 
is a run or a co-run for a". More specifically, it will construct a graph whose 
nodes are the states of A (or in terms of games, the possible configurations of the 
game) . It labels a state g by green or red depending on whether there is a winning 
strategy for 31oise or Vbelard for a game beginning in g. In terms of automata, 
this means that there is em accepting run or co-run for the automaton stzurting 
in g. Furthermore, if the initial configuration of the graph is labeled by green 
then unwinding (certain) green nodes of the graph yields an accepting run (or in 
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terms of games a winning tree for Bloise). Dually, if the initial node is labeled by 
red then unwinding of (certain) red nodes of the graph yield zm accepting co-run 
(or in terms of games a winning tree for Vbelard). Checking whether there is 
either an accepting run or an accepting co-run is reduced to checking whether 
the inititd state is labeled by green or red. 

Furthermore, the labeling can be determined in lineeir time wrt. to the num- 
ber of states of the automaton ([BVW94]). However, we restrict ourself to show- 
ing the idea of the algorithm. We refer to [BVW94] where the emptiness problem 
for ISWABA is solved by such a labeling algorithm. 

Let {Q,E,l) be the graph where the nodes are the states of the automaton 
A and {q, q') € ECQ xQ iS q to q' is a. possible move of the game. Furthermore, 
let / : Q — > {31oise, Vbelard} be the mapping telling whether in configuration q 
it is Bloise’s turn or Vbelard’s, i.e., S(q,a) is a disjunction or a conjunction, resp. 

As A is weak, there exists a partition of Q into disjoint sets Qi such that for 
each set Qi, either QiQT, in which case Qi is an accepting set, or Q* D = 0, 
in which case Qi is a rejecting set. Furthermore there exists a partied order 
< on the Qi such that for every q £ Qi and q' £ Qj for which q' occurs in 
S{q, a), we have that Qj < Qi. Thus, transitions from a state in Qi lead to states 
in either the same Qi or a lower one. Without loss of generality, states q for 
which S{q,a) = true (S{q,a) = false) form a singleton set which is accepting 
(rejecting, resp.) and least elements wrt. the partial order. 

The graph can be colored by processing the Qi up according to the partial 
order. To make the algorithm deterministic, enlarge the partial order on the Qi 
to a total order. Let Qi be minimal wrt. to <. Hence, every transition for every 
state of Qi leads to Qi. If Qi is accepting its nodes are labeled by green otherwise 
by red. In particular, if Qi only consists of a state q with 6{q, a) = true (false) 
it is labeled by green {red). 

Let Qj be the next set of states wrt. to the total order. Then all states in 
Qi < Qj are already colored by either red or green. Now we distinguish two 
cases. Suppose Qj is a rejecting set. If there is a node x in which it is Bloise’s 
turn leading to a smaller component Qi which is labeled by green then all the 
nodes are labeled by green. Otherwise Bloise has no possibility to successfully 
leave the rejecting set and all the nodes are colored by red. If Qj is am accepting 
set, one has to look for a node leading to a smaller, red-colored component for 
which it is Vbelard’s turn. Then the component is colored by red, otherwise by 
green. 

In this way, all nodes can be colored by either green or red. Furthermore, it 
is obvious that a node q is labeled by green iff 31oise has a winning strategy for 
the play beginning in q. Dually, a node is labeled by red if and only if Vbelard 
has a winning strategy for the play beginning in q. Hence, we have shown that a 
ISWABA has either an accepting run or £m accepting co-run. If the initial node 
of the colored graph is labeled by green then the automaton has an accepting 
run otherwise ein accepting co-run. Furthermore, suppose the automaton has an 
accepting run. Then one run can be obtained employing the colored graph in the 
following way. We start with the initial node which is labeled by green. Given a 
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node X in the run tree of the graph we add all successors of x iff it is Vbelard’s 
turn. If it Vbeleird’s turn, then 6{x,a) is a conjunction and we have to add all 
successors of x to satisfy this conjunction. Since all the successors are labeled 
by green (otherwise x wouldn’t be green), 31oise has still the chance to win 
the play. In other words, every branch still can be augmented to an accepting 
branch. Now, suppose it is 31oise’s turn in a node x. Hence S{x,a) = (f is a 
disjunction and every successor satisfies g>. Now it is 31oise’s duty to choose a 
suitable successor. Of course, she has to take a child labeled by green. If x is 
a member of a rejecting set, then 3Ioise must not take a successor of the same 
component but one x' of a smaller component. Note that because of the labeling 
algorithm such a node must exist. Hence, every branch of the subtree beginning 
at x' ends in an accepting set. That means, either is contains a node labeled 
by true or the nodes are a subset of T. Hence, the run is accepting. The dual 
procedure identifies a co-run, if the initial node is labeled by red. 

In the next section we are going to define a ISWABA for a given transition 
system and a formula of the alternation free fragment of the p-calculus. 



4 ISWABA for Model Checking the Alternation Free 
/x-Calculus 

In this section, we will show that model checking games can be understood 
as 1-letter weak simple alternating Biichi automata. Given a transition system 
T = (5, T, K, So) and a formula ip of the alternation free p-calculus, we define 
by employing the rules of the corresponding model checking game a ISWABA A 
such that the language of this automaton is empty if and only if Vbelard has a 
winning strategy for G(so,</?). Furthermore, a corresponding co-run is a winning 
tree for Vbelard. Dually, if the language of the automaton is non-empty then 
31oise has a winning strategy and a corresponding run is a winning tree for her. 
As a corollary, this shows Theorem 1 restricted to the alternation free fragment 
of the /i-calculus. 

Let the states of A be the Ccirtesian product of S and Sub{<p). Let S = {a} 
for an arbitrary a. Let 5 be defined in the following way:® 

- J(s, false) = false 

- 5{s,'tpi A 1 P 2 ) = (a,V’i) A {s,ip 2 ) 

- 6{s, [iL]i/') = (si, V’) A ■ • • A (s*, V') where {si, . . . , s*} = {f | s A t with cin 
action a £ K} 

- Sis,i/X.ip) = {s,ip) 

- 5{s, true) = true 

- 6{s,ipi V 7P2) = (s,i/'i) V (s,V’2) 

- 6(s, {K)ip) = (si, V^) V ■ • • V (sjt,V’) where {si, . . . ,s*} = {t | s A t with an 
action a £ K} 

- 5(s,nX.rlj) = {s,ip) 



® For notational convenience we write 5(s, ip) = ip instead of S{{s, ip),a) =■ xp 
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- S(s, X) = (s, Ip') where = aX.ip is the fixed point formula belonging to 
X® 



Note that we identify an empty conjunction with true and an empty dis- 
junction with false. 

It is obvious that is a 1-letter and simple alternating automaton. To show 
that A is also weak, we define a partition of the states Q into disjoint sets Qi and 
a partial order over these sets. Therefore, we first define a quasi ordering <, on 
S X Sub{ip) which is the reflexive and transitive closure of the edge relation in the 
game graph. More formally: Let <* CS x Sub{<p) be defined by is,^p) <e is',tp') 
iff 



— s = s' and ip G Sub^^i'Y or 

— s A s' for an a e AT and rp = {K)xp' or ip = [K]ip'. 

Furthermore, let <q be the quasi ordering obtained as the reflexive and 
transitive closure of <e- Let = C5 x Sub{tp) be defined in a natural way by 
= {s',(f') iff (s,(p) <q (s',(p') and {s',(p') <, (s,y>). Then the Qi are given 
by the equivalence classes of 5 x Sub{(p) wrt. = and the partied order < can be 
defined as <, / =. 

We define T to be the set of states {q E S x Sub{ip) \ q = {s,vX.rp) for 
suitable s € 5 and rp € Sub{(fi)}. Then in particular, each set is either contained 
in T or is disjoint from JF. 

Hence, we have constructed a ISWABA. Furthermore, it is obvious that 
the game interpretation of this automaton coincides with model checking games 
introduced in Section 2. This allows us to employ the algorithm of the last section 
for obtaining a winning strategy and a winning tree for either 31oise or Vbelard. 

Note that the same construction cam also be carried out for formulas of the 
full /i-caJculus. However, for the full p-calculus the plays obtadned by considering 
the accepting runs of the corresponding automaton differ from the games won 
be 31oise. 

Figure 2 shows the graph constructed by the non-emptiness adgorithm from 
the last section for the transition system in Figure 1 amd the formula 93 = 
^iX.{—)X V (a)true. The nodes framed with a box are colored by green while 
the nodes framed with a circle are colored by red. 

5 Conclusion 

In this paper, we argued for the need of game based model checking algorithms 
for practical verification tools since they admit a suitable form for debugging 
concurrent systems. We presented an interpretation of 1-letter simple weaik al- 
ternating Biichi automata (ISWABA) in terms of games. We explained that 

® Remember that we restricted ourselves to normal formulas. So every variable X 
identifies a unique subformula aX.rp of ip. 

^ here let aX.rp be an element of Sub{X) where aX.rp is the formula identified by X 
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Fig. 2. A colored gcime graph 



model checking games for the alternation free fragment of the /i-calculus coincide 
with the g 2 une interpretation of ISWABA. In this way, the well expladned non- 
emptiness proof for ISWABA given in [KVW98] czm be used to check whether 
either iloise or Vbelard has a winning strategy for the model checking game. 
Furthermore, we showed that the algorithm from [KVW98] is not only suitable 
for checking which player has a winning strategy but can easily be extended to 
obtain a winning strategy. 

The algorithm is integrated in the verification platform Truth ([LLNT99]) 
with a text-based possibility to play model checking games. Truth is designed to 
be a test-bed for new algorithms and model checking techniques as well as a tool 
to be used for educating students in the area of formal verification. The algorithm 
has proven to be useful for debugging concurrent systems. At the moment, we 
are also working on a graphical front end for playing model-checking games. 
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Abstract TLA (the Temporal Logic of Actions) is a linear temporal logic for 
specifying and reasoning about reactive systems. We define a subset of TLA 
whose formulas are amenable to validation by animation, with the intent to fa- 
cilitate the communication between domain and solution experts in the design of 
reactive systems. 



1 Introduction 

The Temporal Logic of Actions (TLA) has been proposed by Lamport [21] for the 
specification and verification of reactive and concurrent systems. TLA models describe 
infinite sequences of states, called behaviors, that correspond to the execution of the 
system being specified. System specifications in TLA are usually written in a canonical 
form, which consists of specifying the initial states, the possible moves of the system, 
and supplementary fairness properties. Because such specifications are akin to the de- 
scriptions of automata and often have a strongly operational flavor, it is tempting to take 
such a formula and “let it run”. In this paper, we define an interpreter algorithm for a 
suitable subset of TLA. The interpreter generates (finite) runs of the system described 
by the specification, which can thus be validated by the user. 

For reasons of complexity, it is impossible to animate an arbitrary first-order TLA 
specification; even the satisfiability problem for that logic is -complete. Our restric- 
tions concern the syntactic form of specifications, which ensure that finite models can 
be generated incrementally. They do not constrain the domains of system variables or 
restrict the non-determinism inherent in a specification, which is important in the realm 
of reactive systems. 

In contrast, model checking techniques allow to exhaustively analyse the (infinite) 
runs of finite-state systems. It is generally agreed that the development of reactive sys- 
tems benefits from the use of both animation for the initial modelling phase, comple- 
mented by model checking of system abstractions for the verification of crucial system 
components. 

The organization of the paper is as follows; in sections 2 and 3 we discuss the 
overall role of animation for system development, illustrating its purpose at the hand 
of a simple example, and discuss executable temporal logics. Section 4 constitutes the 
main body of this paper; we there define the syntax and semantics of an executable 

* This work was partly supported by a grant from DAAD and APAPE under the PROCOPE 
program. 
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subset of TLA, give the interpreter algorithm, and prove it sound and complete with 
respect to the logical semantics. Section 5 shows how fairness conditions can be taken 
into account and briefly describes our current prototype implementation, which also 
contains a model checking component. Finally, section 6 concludes by summarizing 
our results and comparing them to related work. 



2 The role of animation 

Requirements capture and analysis is the first step in typical lifecycle models of soft- 
ware engineering. It is the process of identifying and recording the needs of a customer. 
It fulfills two different rotes: 

- The customer must be convinced that the requirements are completely understood 
and recorded. 

- The designer must be able to use the requirements to produce a structure around 
which formal reasoning and an implementation can be developed. 

The success of this step depends on the communication between customer and de- 
signer. In general, the analysis and requirements document constitutes the interface be- 
tween problem domain experts with little knowledge of computers and solution domain 
professionals with little knowledge of the problem and a large understanding of com- 
puter systems and techniques. Thus, the communication should be oriented towards the 
customer: the formal model of requirements should be understood and communicated 
to the customer. Validation is the key technique that supports this communication. 

In the formal methods community, the validation of formal specifications is mainly 
based on either (automatic or computer-supported interactive) proof or on animation, 
that is, execution. The verification of TLA specifications has been amply studied; we 
focus here on validation by animation. Hoare [16] has studied the feasibility of ani- 
mating specifications. Emphasizing the tradeoff between expressiveness of the formal 
notations and their animation, he has initiated a lively debate in the community. Hayes 
and Jones [17] represent one side of this debate; they explain that specifications need 
not be executable by considering various problems involving different format notations. 
They argue that the expressiveness should not be sacrificed in favor of animation since 
a formal specification is intended for “human consumption”, whereas the additional re- 
quirements of executability may easily lead to over-specification. Consequently, the im- 
plementor may be tempted to follow the algorithmic structure of the executable specifi- 
cation. Moreover, Hayes and Jones argue that validation is achieved by proof rather than 
by animation, and that animation techniques should be restricted to particular problems 
such as the design of user interfaces [15]. As an exponent of the other side, Fuchs [11] 
argues that the specifications are (preferably) executable. He considers the same prob- 
lems stated by Hayes and Jones and translates them into a logic specification language 
(LSL), which is more expressive than Prolog. He emphasizes the value of animation as 
the primary vehicle of communication between the client and the designer. 

The limitations in expressiveness can be overcome by appropriate specification 
languages. For example, the B-Toolkit [3, 4] supports type-checking, animation, and 
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proofs. When there is non-determinism, the user is referred to as an oracle. In DisCo [7], 
the concept of external functions is used to extend the notations. 

Of course, animation should not be thought of as a panacea; it certainly does not ex- 
clude formal proofs. Rather, proofs and tests are complementary and should be used in 
conjunction. As an example, Rushby [26] considers the problem of sorting a sequence. 
The question whether a sorting function is idempotent can be addressed by proof or by 
animation. The latter can examine the property for a few representative values. Most 
importantly, animation can help us to ask the right questions. As with model-checking, 
the goal is to find a counter-example. When we have gained confidence in both the 
specification and the property then we can use a theorem-prover to attempt a formal 
proof. 

Related to implementation, Zave and Yeh [31, 32] argue that the border between 
implementations and executable specifications is resource management. Implementa- 
tions have to meet performance goals by an optimal use of resources while executable 
specifications should only specify the functional properties of the system. There is also 
a distinction between prototypes and executable specifications. Prototypes are mainly 
used to explore only part of the functionality of the system. On the other hand, exe- 
cutable specifications form the basis of the implementation [11]. 

3 Validating specifications by animation 




Fig. 1. Overall approach to animation [27] 



Figure 1 illustrates two approaches to animate formal specifications. The first ap- 
proach consists of (automatically) translating specifications into a target language, which 
is immediately executable. In the second approach, one defines an operational seman- 
tics for the specification language, perhaps using a standard SOS format, which can then 
be interpreted by a custom-built interpreter or even using a standard tool. Theoretically, 
the two approaches are equivalent: in both cases we must preserve correctness (and 
completeness if possible). Technically, the definition of the animation by the translation 
is a programming activity, and proving properties of the translation is often nontrivial. 
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The second approach favors compositionality of the translation, which simplifies formal 
reasoning. 



3.1 Criteria for animation systems 

Breuer and Bowen [6] identify three qualitative measures that can be used to compare 
animation systems: coverage, efficiency and sophistication. Utting [28] suggests three 
additional evaluation criteria: interactivity, transparency and operational equivalence. 
Among these criteria, we have chosen the following requirements which allow us to 
classify the different techniques of animation: 

- the expressiveness of the animation language, 

- efficiency, measured as the time and space requirements for execution, 

- correctness: every outcome of the execution conforms to the original specification, 
and 

- completeness: every model of the original specification is a possible outcome of the 
animation. 

3.2 Using animation to validate systems 

We illustrate what kinds of specification errors the animation may help to detect, and 
why it is useful to combine animation and proof. Figure 2 shows an example due to 
Gravel! [15], but reformulated in TLA+, a specification language introduced by Lam- 
port [19, 20] and based on top of TLA. The specification should be easy to understand 
even without detailed knowledge of TLA+. 



I module Counter 

VARIABLE 
X 

I 

Init 
Next 

Fair 

I 

Spec = A Init 

A □[7Vez<|, 

A Fair 

I 1 

THEOREM 

Invariant = D(x e Nat A x < 1000) 



= X =0 
= A I < 995 
A x' = X -b 5 
= WF^Next) 



Fig. 2. Specification of a counter. 







96 



Yassine Mokhtari and Stephan Merz 



As explained by Gravell, there are two problems with this specification. The first 
one concerns the test x < 995. When x = 995, the action Next is enabled and can 
thus be executed. But, the invariant is not preserved. This kind of errors can be found 
easily by animation. The validation of the invariant can be done by first checking that 
the predicate Init satisfies the invariant and secondly by checking that the execution of 
actions are closed with respect to the invariant. This is done by checking the validity of 
the invariant at the initial state, and again after the execution of any action. 

On the other hand, the animation points out that the invariant, when corrected, could 
be strengthened by asserting that x mod 5 = 0. For example, this stronger invariant im- 
plies that an implementation of the counter could internally use an 8 bit representation 
of integers. On the other hand, it could be the case that this invariant holds just “by 
accident” and is not actually desired by the client. 

Although this example is trivial, it illustrates what we expect h:om using animation. 
As a realistic example, Gravell [ 15] has discovered an error in a specification which had 
been published in a book about Modula-3. 



3.3 Executable Temporal Logic 

Temporal logic [18, 23] is a standard framework for specifying and reasoning about 
reactive systems. It combines classical logic for assertions concerning single states with 
temporal operators expressing assertions that relate several states. The behaviors of 
reactive systems are modelled as infinite sequences of states. Temporal logic can be 
used to model reactive systems at a high level of expressiveness. If we can directly 
execute (a reasonable subset of) temporal logic specifications, they can be validated 
early on, without constructing and verifying intermediate refinements of the original 
specification. For this reason, there has been some interest in executing temporal logic 
specifications [9], and we review the central points. 

The “execution” of a temporal formula F aims to build a model for F. The outcome 
is therefore a model M such that M ^ F holds. In general, an animator will only 
produce finite prefixes of infinite behaviors. It should be the case that any finite sequence 
of states produced by the animator can be extended to a model of the input specification. 
Moreover, the animator should be able in principle to produce prefixes of every model, 
possibly with some guidance by the user in the case of non-determinism. 

The construction of models for propositional temporal logic specifications is usually 
based on automata-theoretic techniques [30, 8]. The satisfiability problem is decidable 
in the propositional case, but it is rather complex (PSPACE-complete). For first-order 
temporal logics, the satisfiability problem is highly undecidable (27i -complete), and it 
is not in general possible to incrementally construct models. Faced with these prob- 
lems, Merz [24] suggests to find a tradeoff between expressiveness and efficient imple- 
mentability. 

We have chosen a subset of first-order TLA as our specification language. As op- 
posed to model checking, we want to be able to animate specifications that involve 
complex, unbounded data structures, while we are prepared to give up on full coverage 
of the state space. Compared to other temporal logics, TLA differs in that it empha- 
sizes automata-like descriptions of reactive systems, which have proven to be scalable 
to specifications of realistic size. It provides a simple logical language to describe both 
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systems and their properties, an important point when one is interested in refinement, 
and thereby simplifies the interface between the domain and solution experts. 



4 Animating TLA specifications 

4.1 Overview 

TLA specifications are usually written in the canonical form [21] 

Init A □[iVj* A L 

where Init describes the initial states of the machine, N is the next-state relation, writ- 
ten as a disjunction of possible moves, x is a tuple of all variables of interest and L 
is a formula that describes the fairness requirements. A TLA specification thus defines 
an abstract machine whose state space is defined by the variables of the specification 
and whose transition relation is described by actions (transition predicates). An execu- 
tion is modelled as an infinite sequence of states, called behavior, where a terminating 
execution is modelled as repeating the final state. 

As a first step, we ignore fairness conditions, which will be considered in sec- 
tion 5.1, and concentrate on the safety part of specifications, written as 

Init A □[(V]x 

Such a formula is satisfied by a behavior whose initial state satisfies the predicate Init 
and where every pair of successive states satisfies N, or else doesn’t change x. Thus, 
the key requirement for animation is the ability to generate a finitely representable set 
of successors of each state. We can now state this idea more formally: 

Definition 1. A specification in TLA can be characterized by a triple {St, I, A) where 
St is a set of all possible states, I C St is the set of initial states, and A is a set of 
actions. 

The interpretation of a state predicate p, written [pj, is a mapping from states to the 
booleans. The interpretation of an action a, written [oj, is a boolean valued function on 
steps, where a step is a pair of states. For each action o 6 A, we can define its enabling 
condition, written Enabled (a) as the state predicate that is true precisely in those 
states where a may be executed. Semantically, Enabled (a) is defined by 

s [E nabled ( a)] = 3t e St : s[a]t 

A necessary condition for a specification to be executable is that for every (reach- 
able) state s and every action a G A, the set 

{t £ St : s[o]f} 

of legal successor states of s w.r.t. a be recursively enumerable. We will restrict the 
action syntax in order to ensure this condition: 
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- Atomic actions are of the form x' = v where i; is a (computable) state function. 

- Conjunctions and disjunctions of actions are again actions. 

- Implications are allowed only if the formula on the left-hand side is a (computable) 
state predicate: this restriction in particular ensures that the negation of an action 
cannot in general be expressed. 

The following sections formally define the syntax and semantics of our executable 
subset of TLA and describe an algorithm that generates (finite) models of such spec- 
ifications. We show that our interpreter algorithm is both correct and complete as ex- 
plained in section 3.1. 

One may argue that our restrictions on executable formulas are too severe and result 
in a specification language of insufficient expressivity. On the other hand, it is clear 
that for fundamental reasons of computability theory, it is impossible to syntactically 
characterize the full set of specifications such that the set of legal successor states is 
recursively enumerable. We expect to extend the class of allowed specifications given 
more experience with our present prototype animator. 

4.2 The logic of transitions 

Like TLA, the subset of TLA has two tiers, with the temporal formulas defined on top of 
nontemporal transition formulas. We now define the syntax and semantics of transition 
formulas. 

Syntax We assume given a denumerable set of variables V. These are partitioned into 
denumerable sets Vr of rigid variables and V/? of flexible variables. 

We also assume given a sequence £ of symbols, partitioned into a sequence Cp of 
predicate symbols and a sequence £p of function symbols. To each of the symbols in 
£ is assigned a natural number, its arity. 

The syntax of nontemporal transition formulas has three tiers; 

1 . The first tier concerns the constant formulas whose meaning is state-independent. 
Rigid variables may occur in these formulas. 

2. The second tier concerns the state formulas whose meaning is state-dependent. 
State formulas comprise state functions and state predicates. Both rigid variables 
and flexible variables, whose value is state-dependent, may occur in state formulas. 

3. The third tier concerns the transition formulas', they comprise only transition pred- 
icates called actions. Transition formulas may contain primed occurrences of flex- 
ible variables. 

We will explicitly define state and transition formulas. Constant formulas are state 
formulas that do not contain flexible variables. 

State Functions. The set of state functions is the smallest set such that: 

- If X G Vf U V/j then x is a state function. 

- If / e £f is a function symbol of arity n and iti,. . . ,v„ are state functions then 

v„) is a state function. 
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State Predicates. The set of state predicates is the smallest set such that: 

- If p G is a predicate symbol of arity n and wi, . . . , are state functions then 
p(wi , . . . , u„) is a state predicate. 

- If ui and t >2 are state functions then wi = t >2 is a state predicate. 

- If P is a state predicate then ->P is a state predicate. 

- If P and Q are state predicates then P A Q is a state predicate. 

Further connectives like V, and = are defined as standard abbreviations. 

Actions. The set of actions (transition predicates) is the smallest set such that: 

- If P is a state predicate then P is an action. 

- If x G Vp and « is a state function then i' = u is an action. 

- If i4 and B are actions then AaB and A V B are actions. 

- If P is a state predicate and .4 is an action then P => A is an action. 

We sometimes write x' = x where x is a finite list (xi , . . . , x„) of flexible variables 
to denote the conjunction of all actions x,- = x^. 

Logical semantics The basic semantical concept of £ is a structure M that consists 
of: 



- a non-empty domain U called a universe. 

- an n-ary function M(f) :U'^ -^U for every n-ary function symbol /. 

- an n-ary predicate M{p) C W" for every n-ary predicate symbol p. 

A rigid variable valuation (with respect to U) assigns some ^(x) G W to every 
X G Vfl. In this paper, we assume given a fixed structure M and valuation ^ of the rigid 
variables. 

The semantics is defined in terms of states. A state is a mapping from flexible 
variables Vp to values from U. Thus, a state s E St assigns a value s(x) to every 
flexible variable x G Vp. 

State functions. The meaning [v] of a state function v is a mapping from states to 
values in li. For every state s, we define s[vj by induction as follows: 

- If X G Vp then s[x] is s(x). 

- If X G Vp then s[xj is ^(x) 

- s[/(vi,..., v„)] isAd^)(s[vi],...,s[t;„]) 

State Predicates. The meaning [P] of a state predicate P is a mapping from states to 
booleans, so s[P] equals true or false for every state s. We say that a state s satisfies a 
predicate P iff s[P] equals true. The semantics of state predicates is inductively defined 
as follows: 

- s[«i = U 2 ] is true iff s[vi] and s[u 2 ] are equal. 

- ■sb(vi>- -.«n)l istrueiff (s[vi],...,s[v„]) G M{p). 

- 4-P] is true iff ^[P] is false. 

- s[P A Q] is true iff both s[P] and s[Q] are true. 
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Actions. An action (transition predicate) represents a relation between states, where the 
unprimed variables refer to the state before the transition and the primed variables refer 
to the state thereafter. 

Formally, we say that a pair (s, t) of states satires an action A, and we write s[A]t 
iff: 



- If A is a state predicate P then s[.A]f is true iff s[P] is true. 

- If >4 is x' = V then s[A\t is true iff f[x] and s[v] are equal. 

- If ,4 is A A B then s[.4]f is true iff and are true. 

- If ,4 is A V B then s[A]t is true iff s[A]f or s [B]f is true. 

- If A is B A then s[AJf is true iff s [P] is false or s[A]f is true. 



Operational semantics We now complement the traditional, logical semantics of TLA 
defined above with an operational semantics that allows us to effectively evaluate ac- 
tions. This operational semantics is based on the first-order structure M, which we as- 
sume to be effectively presented. We are not concerned with how exactly M is defined; 
in practice, it will be provided by a host language, possibly extended with algebraic 
data types [14]. 

Informally, if s[A]f holds for a pair (s, t) of states then the execution of A in state 
s can produce the new state t. We effectively construct t with the help of an operational 
semantics of actions that allow us to build the state t incrementally. At each step of 
the construction, we have partial information about the state t. This partial information 
is represented by a valuation. Operationally, we define the meaning of an action in a 
state s as a set of valuations with finite domains. For example, s[x' = x + 1] is the set 
that contains just the valuation [x <- A4(-t-)(s(xJ, A4(l))]. We need two fundamental 
notions. The first one ensures that two valuations ti and T 2 are compatible, that is, 
they agree on the value of all variables they both determine. The second notion is the 
operation JOIN that allows us to compose sets of valuations. 

Definition 2. A valuation r is a (possibly partial) mapping from Vp to U .i.e. 

Note that a state s can be regarded as a valuation with dom(s) = V^. However, in 
the following the domain of r will often be finite. We write [xi t- wi , . . . , x„ t- v„] for 
the valuation r with dom(r) = {xi , . . . , x„} and r(xj) = Wj. In particular [ ] denotes 
the trivial valuation that is nowhere defined. 

Definition 3. Let t\ and T 2 be two valuations. Vfe say that ti and are compatible, 
written ti ~ T2, iffTi(x) = T2 {x) for every x 6 dom{Ti) r\dom{T2). 

Definition 4. The composition of two compatible valuations ti and T 2 , written t\ • T 2 , 
is the valuation such that: 

- dom{Ti • T2) = dom{T\) U dom{T2) and 

- for every variable x € dom(Ti • T2): 
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Definition 5. The operation JOIN is defined by 

S JOIN T = {p»T : p e S,T e T,p ~ r} 
for any two sets S and T of valuations. 

We note the following properties of these definitions, which are later used to estab- 
lish the soundness and completeness of our semantics. 

Lemma 6. Ifr e J01N|*_i{[a;j <- Ci]} then dom{T) = {xi, . . . ,Xn} and T{xi) = C{ 
for every e dom(T). 

Lemma 7. Let S, T be two sets of valuations and tbea state. 

There exists some t € (S JOIN T) such that t t iff there exist ti G 5 and T 2 € T 
such that t ~ Ti and t ~ T 2 . 

Now, we can define the meaning of an action as a mapping from states to sets of 
valuations. The semantics of actions is defined by structural induction as follows: 

- s[a:' = v] = {[i <- s[v]]}. 

- If F is a state predicate and s[FJ is true then 4P] = m- 

- If P is a state predicate and s[P] is false then = {}• 

- s[i4 A B\ is 5li4] JOIN s[Pj. 

- s[A V B] is s[i4J U s[P] where U is set union. 

- ^is[P] is true then s[P ^ A\ is s[i4J. 

- If s[P] is false then s[P => A] is {[]}. 



4.3 Temporal formulas 

Temporal formulas are built on the basis of transition formulas as defined above. We 
now define their syntax and semantics. 



Syntax The only form of temporal formulas is 

Init A 



where: 

- Init is a state predicate describing the initial values of x. We restrict Init to be of 
the form A^=i — ^ij where Cy is a constant and Xij is a variable. 

- AT is an action describing the next-state relation. 

- a: is a tuple of flexible variables that appear in N. We require each step to satisfy 
N or else leave all variables in x unchanged. We may consider such steps as being 
performed by the environment. 
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Semantics The semantics of temporal formulas is defined on behaviors, that is, infinite 
sequences of states. If cr = (so, si, . . .) is a behavior then ct|„ is its prefix (so, . . . , s„). 
Let St°° denote the set of all behaviors. 

Definition 8. Let a = (so, si, . . .) 6 St°° be a behavior. We say that a satisfies the 
temporal formula Init A □[IVJj,, written a[Init A CI[7V]j;] iffso[Init] is true and for all 
n e Nat, 5„[iV y x' = a:Js„+i is true. 

A fundamental result about TLA asserts that all formulas are invariant under stut- 
tering, that is, finite repetitions of identical states. Formally, stuttering equivalence is 
the finest equivalence relation on behaviors such that any two behaviors tt o (s, s) o a 
and 7T o (s) o tr are stuttering equivalent. Invariance under stuttering allows refinement 
to be represented by logical implication. All formulas written in our restricted logic are 
therefore also stuttering invariant. The proof of the following proposition appears in [2]. 

Proposition 9. Let F = Init A □[A] j. 

If a and t are two stuttering equivalent behaviors, then o[F\ holds iffr\F\ holds. 



4.4 Soundness and completeness of our semantics 

We now define an operational semantics for temporal formulas, based on the operational 
semantics for actions, and relate it to the logical semantics by proving soundness and 
completeness theorems. 

Let F = Init/ 0[A]x be a temporal formula. We write TRACES(F) to denote the 
set of finite behaviors that satisfy F. Formally, TRACES(F) is defined by induction as 
follows: 

Definition 10. TRACES(F) is the smallest set such that: 

— If Init = Aj=i — ^ij (*o) 6 TRACES(F) iff So — t for some 
r e u;ii JOIN7=i{[xi, t- Cy]}. 

- If {so,..., s„) € TRACES(F) then (sq, . . . , s„+i) € TRACES(F) iffs^+i ~ rfor 
some T e Sn[Ax' = x]. 

traces(F) is therefore the set of finite behaviors that can be constructed by re- 
peatedly applying the operational semantics for actions from section 4.2. It defines the 
operational semantics of temporal formulas. 

Lemmas 1 1 and 12 establish the soundness and completeness of our semantics for 
the initial predicate and for actions. 

Lenuna 11. so[A"=i ^ ~ iff so^t for some t e JOINj*_j{[xj Cj]}. 

Lenuna 12. Let A be an action and s,t be states. is true iff t ~ t holds for 

some T G s[-4]. 

These lemmas are the essential steps in proving the following theorems 13 and 14, 
which assert the soundness and completeness of the operational semantics with respect 
to the logical semantics. 
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Theorem 13 (Soundness). Let F = Init A and a G St°° be a behavior. If 

«T|„ £ TRACES(F) holds for all n G N then a\F\ is true. 

Theorem 14 (Completeness). Let F = Init A CI[iV]i and a G St°° be a behavior If 
a[F]is true then ct|„ G TRACES(F) holds for all n G M 

4.5 The interpreter algorithm 

The interpreter algorithm iteratively constructs a set of finite behaviors that are prefixes 
of models of an executable specification F. Let F = Init/ D[A]a; be a temporal formula 
and yv = FVtemp{F) be the free flexible variables of F. Intuitively, W constitutes the 
space state. A configuration is a mapping from W to values, i.e. 

K,:W^U 

In fact, the algorithm constructs a forest of simulation trees whose roots correspond 
to the initial states and whose nodes are configurations. This tree represents the set of 
finite behaviors allowed by the formula F. 

For each state under construction, we want to generate a set C of configurations, 
based on valuations r produced by the operational semantics defined above. It only 
remains to assign values to any variables in W that are not in the domain of r. Unini- 
tialized variables typically correspond to environment inputs; their values have to be 
provided by the user or be randomly generated by the animator. If r is a valuation with 
dom(r) C W, we let CONFlGURATlONS(r) denote the valuation t » input where input 
is some valuation with domain W \ dom(r). We extend CONFIGURATIONS to sets of 
valuations in the obvious way. Figure 3 illustrates the algorithm. 



Input Let F = Init A □[Ajx where Init = Vilj A"=i “ Cv- 
Output simulation tree 



Initialization Co = CONFIGURATIONS 




JOlN;=,{[ii> <- Cij 




Construction 

1. choose any subaction of A, say B. 

2. Ci+i = (J CONnOURATIONS(s[Bx' = xj). 



4€C| 



Fig. 3. The interpreter algorithm. 



Example. To illustrate the algorithm, consider the following example. Let 
F = a: = 0 A □[{/ >0Ai' = a:-FlAj/' = j/-l- l]<i,y) 
where x and y are flexible variables. At time 0, we may have by initialization; 



Co — {[a: <- 0, y t- 3]} 
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We assume that the user has chosen to instantiate y with 3. At time 1, we have by the 
construction of configurations: 

Cl = Co U {[i <— 1, j/ 4]} 

The construction continues in a similar way. Figure 4 illustrates the simulation tree. 



Co = {^o} 



Cl = {/Co, /Cl} 



/Co 




Fig. 4. Simulation tree 



5 Extensions 

We extend the basic set of executable TLA formulas considered so far by fairness con- 
ditions and give a brief indication of the current implementation, which complements 
the animator with a simple model checker for the analysis of finite-state specifications. 



5.1 Fairness requirements 

Fairness conditions are used to constrain the nondeteiministic choices present in the 
specifications of concurrent systems at an abstract level of description. For example, 
consider the specification of the manager of a shared resource. We may use a fairness 
condition to require that every request must be eventually served. A typical implemen- 
tation may queue the waiting requests. But, including a queue in the specification of the 
resource manager has at least two drawbacks. On one hand, this solution over-specifies 
the requirements and on the other hand it enforces implementation decisions at the 
requirements level. Observe moreover that without fairness requirements, a TLA com- 
ponent specified by a canonical formula Init A □[A']„ may at some point simply stop 
operating, since every stuttering action satisfies the safety requirement. 

In general, fairness conditions assert that an action that is enabled often enough 
will eventually be executed. Standard interpretations of “often enough” are either “for- 
ever from some point onwards” (weak fairness) or “infinitely often” (strong fairness). 
Clearly, strong fairness implies weak fairness. In TLA, these fairness conditions can be 
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defined as 



WF/(X) = (□0{A>/) V (□O-.Enabled (A)f) 

SFf(A) = (□0(>i)/) V (OD-.ENABLED (A)f) 

We allow conjunctions of weak and strong fairness conditions to appear in exe- 
cutable formulas. They are implemented with the help of schedulers, ensuring that ev- 
ery infinite behavior that is a limit of the finite behaviors produced by the animator 
satisfies the fairness conditions as well as the safety part of the given specification. Of 
course, the choice of a fixed scheduler destroys the completeness property, since the 
nondeterminism of the original specification is constrained. In our implementation, the 
user has the freedom to override the scheduler’s choice of which action to execute next. 

For the sake of clarity, we separately define schedulers for specifications that contain 
either weak or strong fairness conditions. It is easy to combine the algorithms to obtain 
a scheduler for specifications that contain both types of fairness requirements. 

Weak Fairness. The scheduling algorithm for weak fairness is a simple round robin 
scheduler that cycles through the list of actions that have associated fairness conditions. 
In particular, an action that is continuously enabled from some point on will eventually 
be chosen for execution, thus satisfying the weak fairness condition. 

Formally, let F = Init A D[\/|_j Ai\x A /\)^j WFi(j4j). We adapt the definition 
of traces(F) as follows; 

Initialization If Init = Vf=i A|=i % = ihen (so) € TRACES(F) iff so — ^ for 
some T € (Jf=i •<- cy]}. 

Body Assume that (so, . . . , s„) e TRACES(F). 

1. If Sn mod t))xl ^ ® then (so, * . * , € traces(F) iff s^+i — t for 

some r € s„[(A(„ ,))*]. 

2. If s„[(A(„ o)®l = ® (so, • • • , s„+i> e TRACES (F) iff s„+i ~ r for 
some r € Sn((V!=i V i' = ij. 

Theorem 15 (Soundness). Let F = Init A Ai]x A /\[lj WF*(Ai). For any 

behavior a G 5t°°, i/<r|„ G TRACES(F) holds for all n G N then <r[F] is true. 

Strong Fairness. The scheduling algorithm for strong fairness maintains a list of actions 
with associated fairness conditions and at every step tries to execute the first enabled 
action from that list, which is then moved to the end of the list. Intuitively, this corre- 
sponds to a priority scheduler where actions that cannot be executed move towards the 
beginning of the list. If the action is infinitely often enabled without being executed, 
it will eventually be the first enabled action in the list, and thus be executed by the 
scheduler. 

Formally, let F = Init A □[A<=i -^»]x A Aj^i SFi(Ai). We adapt the definition 
of traces(F) as follows, simultaneously defining a sequence Fq, Fi, . . . of lists of 
actions with fairness conditions (we use superscripts to refer to the element of a list at 
a given position); 
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Initialization 

1. If Init = Vf=i Aj=i (*o) 6 TRACES(F) iff So ~ t for some 

r e Uf=i JOlN/^i{[a:y +- Cijj}. 

2. Po = (1, • • • , m) 

Body Assume that (sq, • • • , s„) € TRACES(F). 

1. If SCHED(P„, s„) = i ^ 0 then (so, . - . , s„+i> G TRACES(P) iff s„+i ~ r 
for some r € s„[(Aj>*], and P„+i = (P^, . . . , P^“\ P‘+\ . . . , P™, P’>. 

2. If SCHED(P„, s„) = 0 then (so, . . . , «n+i) € TRACEs(P) iff s„+i ~ r for 
some T G Sn[(V<=i -^i) V i' = x] and P„+i = P„. 



Here, 



sched(P 



.s) = I 



0 if s[{ A p, ) j] = 0 for all j 

min{j : s[{Api)x\ ^ 0} otherwise 



} 



Theorem 16 (Soundness). Let F = Init A C1[A!=i M\x A Ai^i SF*(Aj). For any 
behavior a G 5f°°, G TRACES (P) holds for all n eN then cr[P] is true. 



5.2 Model checker 

The animator is complemented by a model checker for finite-state TLA+ specifications. 
The model checker is based on our subset of TLA and uses an explicit state enumer- 
ation algorithm to check the properties of the system and produce counterexamples to 
those properties that do not hold of the system. It uses an on-the-fly algorithm, which 
interleaves the generation of the state space and the search for errors, avoiding the con- 
struction of the complete state space. The states are stored in a hash-table, so that is 
that it can be decided efficiently whether or not a newly-reached state is old (has been 
examined already) or new. 

There are two kinds of properties that designers check with model checking tools: 
safety properties and liveness properties. Checking safety properties can be reduced to 
reachability analysis, whereas checking liveness properties amounts to searching for 
cycles in the state graph. More precisely, the procedure of verification is described in 
the following. 

Given an executable TLA specification G and a property / expressed in proposi- 
tional TLA, the verification procedure [12] is defined as follows: 

1 . Build a Biichi automaton B-,/ for the negation of the formula /. 

2. Compute the product Bq ® B-,/ of the transition system that corresponds to the 
specification G and the automaton B-,/; the accepting runs of this automaton cor- 
respond to infinite computations of G accepted by B-,/ 

3. Check whether the language accepted by Bq ® B-,/ is empty or not. 

The first step is based on the relation between Biichi automata and LTL. Vardi and 
Wolper [29] showed that any LTL formula can be translated into a Biichi automaton 
which accepts precisely those (infinite) system executions that satisfy the LTL formula. 
The algorithm [12] is based on a tableau procedure and computes the states of the Biichi 
automaton by computing the set of subformulas that must hold in each reachable state 
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and in each of its successor states. Liveness conditions give rise to the set of accepting 
states of B^f. 

The language of Bo <S> B^f is nonempty iff the automaton contains an acceptance 
cycle. The search for acceptance cycles can be interleaved with the construction of the 
product automaton [13]. 

5.3 Implementation 

We have implemented the tools outlined in our paper in Java. The figure 5 illustrates a 
screen-shot of our environment for TLA"'' . The tools include the following components: 

Source Editor Edit source files using a point-and-click editor. The Source Editor also 
serves integrated display mechanism for the other TLA"*" tools component. 
Compiler Manager Build all TLA"*" modules. 

Animator Animate a TLA"'" specification. 

Model checker Model checker for TLA"*" specifications. 
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Fig. 5. An example of a scenario 
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Figure 5 illustrates the animation of the invoice system specification. It consists of a 
system which is composed of the following components: set of orders, stock, and entry 
flows. An order contains one reference to a product of a certain quantity. It may change 
its state from the state pending to invoiced if and only if the ordered quantity of the 
product is less than or equal to the quantity of this product in stock. The same reference 
of the product may occur in different orders. The entry flows allow us to change the state 
of the set of orders and the stock: (i) entries in the set of orders : new orders (receive 
operation) or cancelled orders (cancel operation), (ii) entry in stock : new entry of 
quantities of products in stock at warehouse (deposit operation). 

Further, the figure shows an example of a user’s interaction with the animator. We 
assume that the user initializes the system with two orders, namely oi and 02 and 
one reference, namely ri. Then the user chooses the scenario which consists in carry- 
ing out the sequence of actions: Receive{oi,ri,5),Receive{o2, ri, 10), Deposit {ri, 11), 
Update (oi). Next, we reach a state depicted by the figure in which the first order oi 
is invoiced and the stock is updated. Finally, we can try to cancel the order 0 % . The 
animator displays the following message ’’The Enabled predicate is false” which means 
that we cannot change the status of the order which is already invoiced. Thus, the ex- 
ecution of the action Cancel (oi) is not authorized. For futher explanations, the reader 
may refer to [33], 



6 Conclusion 

We have presented an executable subset of TLA and have established the soundness 
and completeness of our operational semantics with respect to the logical semantics. 
The interpreter algorithm needs to store only the current state in order to compute its 
successors; there is no need to refer to the entire history. Nevertheless, we store the 
choices present at each step so that the user can backtrack and explore different branches 
of the tree. Note in particular that because of the possibility of taking stuttering steps, 
and because all specifications in the subset defined in this paper are machine closed [1], 
a temporal formula in our subset is satisfiable if and only if the initial condition is. The 
user is alerted when only the stuttering action is enabled at some point; he can then 
decide whether the system state corresponds to a deadlock or to a quiescent state where 
all activity has terminated successfully. 

We intend this work as a first step towards the development of an animator for TLA 
and TLA"^ [19]. We have developed a prototype in Java which faithfully incorporates 
the ideas outlined in this paper. 

We are not alone in studying animation techniques for temporal logics. The classical 
approach for finite-state systems is based on the correspondence between propositional 
temporal logic (PTL) and finite-state automata on u^-words such as Biichi automata. 
Wolper [30] shows that for a given propositional temporal logic formula <j>, one can 
construct an u-automaton which accepts precisely those models that satisfy (j). This 
automaton can be taken as the basis of a PTL animator. While fully general for propo- 
sitional logics, this approach is inherently restricted to finite-state systems. Moreover, 
the resulting automaton can be prohibitively large. 
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Other approaches are based on symbolic manipulation to ensure that each step in 
the execution obeys the specification. For example, METATEM [10] is based on full 
linear-time temporal logic, where formulas are restricted to the form 

past time antecedent ^ future time consequent 

which means “on the basis of the past do the future”. Given a program consisting of a 
set of rules Ri of the above form, the interpreter attempts to construct a model of the 
formula □ • /?j. It proceeds informally in the following manner: 

1 . find those rules whose past-time antecedents evaluate to true in the current history; 

2. “jointly execute” the consequents of applicable rules with any commitments carried 
forward. This will result in the current state being completed and the construction 
of a set of commitments to be carried out in the future; 

3. repeat the execution process from the new commitments and the new history result- 
ing from 2 above. 

METATEM is more general in that it has an input language equivalent in expressive- 
ness to full first-order temporal logic. The interpreter can therefore not ensure that finite 
behaviors constructed up to a certain point are in fact prefixes of models. Besides, it has 
to store the complete history of each run in order to evaluate past-time formulas in the 
antecedents of rules. 

Finally, there have been extensions of PROLOG to incorporate temporal modal- 
ities [5, 25]. However, these approaches are based on sets of rules that may involve 
temporal logic, and answer queries for such historical databases; they are not intended 
for the construction of behaviors of reactive systems. 
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Abstract. Deterministic conditional rewrite systems Eire interesting be- 
cause they permit extra variables on the right-hand sides of the rules. 
If such a system is quasi-reductive, then it is terminating and has a 
computable rewrite relation. It will be shown that every deterministic 
CTRS Tl can be transformed into an unconditioned TRS U^Tl) such 
that termination of U (TZ) implies quasi-reductivity of TZ. The main the- 
orem states that quasi-reductivity of TZ implies innermost termination of 
U(TZ). These results have interesting applications in two different areas: 
modularity in term rewriting and termination proofs of well-moded logic 
programs. 



1 Introduction 

Conditional term rewriting systems (CTRSs) Eire the basis of functional logic 
programming; see [Han94] for an overview of this field. In CTRSs variables on 
the right-hamd side of a rewrite rule which do not occur on the left-hand side 
are often forbidden. This is because it is in general not clesir how to instantiate 
them. On the other hand, a restricted use of these extra veiriables enables a more 
natural and efficient way of writing programs in a functioneil logic programming 
language. For instamce the Haskell quicksort progrsim 

split X [] =([],[]) 

split X (y:ys) | x <= y = (xs,y:zs) 

I otherwise = (y:xs,zs) 

where (xs,zs) = split x ys 

qsort [] = [] 

qsort (x:xs) = qsort ys ++ (x: qsort zs) 

where (ys,zs) = split x xs 

corresponds to the CTRS 

split{x,[]) ([],[]) 

split{x,y : ys) -> {xs,y : zs) <= split{x,ys) -> {xs,zs),x < y — ^ true 
split(x,y : ys) -> (y : xs,zs) ^ split{x,ys) -> {xs,zs),x < y -¥ false 
95ort([]) -»■ [] 

qsort{x : xs) qsort(ys) -H- (x : qsort{zs)) 4= split{x,xs) -¥ (ys,zs) 
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which has extra variables on the right-hand side of every conditional rule. The 
rewrite relation induced by the above CTRS is effectively terminating (that is, 
computable and terminating) because the system is a quasi-reductive determin- 
istic CTRS. This class of CTRSs was introduced by Ganzinger [Gan91] in order 
to efficiently translate order-sorted specifications into conditional many-sorted 
equations. Quasi-reductivity is in general undecidable but sufficient criteria to 
check quasi-reductivity have been proposed in [Gan91,ALS94]. 

Similar to the approach of Marchiori [Mar96], we will show how every de- 
terministic CTRS Tl can be transformed into an unconditional TRS U (TZ) such 
that termination of U (72.) implies quasi-reductivity of 72.. This result is interest- 
ing because standard methods for proving termination of TRSs cem be employed 
to infer quasi-reductivity automatically; see [AG97a]. On the one hamd, an ex- 
ample in [Mar95] shows that quasi-reductivity of 72 does not imply termination 
of U (72) but on the other hand the main theorem of this paper states that it does 
imply mnermost termination of f/(72). (The proof of this theorem is non-trivial.) 
This has two striking consequences. 

Firstly, Gramlich [Gra95] showed that for non-overlapping TRSs innermost 
termination coincides with termination. Since U (72) inherits non-overlappingness 
from a syntactically deterministic CTRS 72, termination of C/(72) and quasi- 
reductivity of 72 are equivalent for this class of CTRSs. Consequently, quasi- 
reductivity is modular for non-overlapping syntactically deterministic compos- 
able CTRSs. 

Secondly, Ganzinger and Waldmann [GW93] proved that a translation of 
a well-moded logic program V into a quasi-reductive deterministic CTRS Rr> 
yields a termination proof for V- Using an imperative procedure. Arts and Zan- 
tema [AZ95,AZ96] transformed a logic program V directly into £in unconditional 
TRS (which in essence coincides with U{R-p)) and showed that innermost ter- 
mination of this system ensures termination of V- Consequently, it is remarked 
in [AZ95] that the suggested method “is applicable to a wider class of logic 
programs” and hence it is “stronger than the other results”. Although U{R-p) 
is not necessjirily non-overlapping, it can be shown that in this particular case 
innermost termination and termination are equiv 2 ilent. A consequence is the sur- 
prising fact that the methods of Ganzinger & W^aldm 2 mn and Arts & Zantema 
are equally powerful, in the sense that every logic program which can be shown 
as terminating by one of the methods can be shown as terminating by both 
methods. Our new two-stage transformation approach to proving termination of 
an LR-well-moded logic program can be automated and moreover it has certain 
advantages over the direct transformation. These advantages are discussed at 
the end of the paper. 

2 Preliminaries 

The reader is assumed to be familiar with the basic concepts of term rewriting 
which can for instance be found in the textbook of Baader and Nipkow [BN98]. 
Here we will only recall the definitions which are crucial to this paper. 
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In a CTRS rules have the form I r si = ti, . . . ,Sk = tk with 

l,r,Si, . . . ,Sk, h, . . . ,tk G T [T, V). I may not be a variable. We frequently ab- 
breviate the conditional part of the rule by c. If a rule has no conditions, we 
write I — t r, demand that Var(r) C Var(l), and call / -> r an unconditional rule. 
The = symbol in the conditions can be interpreted in different ways, leading to 
different rewrite relations associated with Ti. For instance, in a join CTRS the 
= symbol stands for joinability (4 -tc). This paper deals with oriented CTRSs in 
which the equality signs are interpreted as reachability A normal CTRS 

{T, Ti) is an oriented CTRS in which the rewrite rules axe subject to the ad- 
ditional constraint that every tj is a ground normal form with respect to Tiu, 
where Tin = {/— ^r|l— >r-<=ce Ti). 

For every rule p : I r <= c, the set of variables occurring in p is denoted 
by Var{p) and the set of extra variables in p is £Var{p) = Var{p) \ Var{l). A 1- 
CTRS has no extra variables, a 2-CTRS has no extra variables on the right-hand 
sides of the rules, and a 3-CTRS may contain extra variables on the right-hand 
sides of the rules provided that these also occur in the corresponding conditional 
part (i.e., Var(r) C Var(l) U Var(c)). 

3 Quasi-Reductive Deterministic 3-CTRSs 

First of all, we will review the definition of deterministic systems from [GainSl]. 

Definition 1. An oriented 3-CTRS Ti is called deterministic if (after appro- 
priately changing the order of the conditions in the rewrite rules) for every 
/ -4 r -<= Si -> ti, . . . ,Sk tk in Ti and every 1 < i < k, we have Vor(si) C 
Var{l) U Uj=i Var{tj). In the following, we will frequently use the notation 
£Var{ti) = Var{ti) \ {Var{l) U U}=i Vor(tj)). 

The rewrite relation —>ti associated with an oriented deterministic 3-CTRS 
Ti is defined by; s — t if and only if there exists a rewrite rule p : I r <= 
Si ti,. . . ,Sk tk in 7^, a substitution cr : Var{p) ->■ T{T, V), and a context 
C[] such that s = C[la], t = C[ra], and Sjcr -4^ Ua for all 1 < i < A:. We would 
like to stress the fact that a instantiates every vmiable in p eind not only those 
variables occurring in /; for an extra variable x, xa is determined as follows. The 
conditions are evaluated from left-to-right. Since Si contains only variables from 
Var{l), the variables in Var(si) have a binding. Then si<r is rewritten until tia 
matches a reduct. The term tier may contedn extra variables but all of these are 
bound during the match. Now S 2 contciins only variables which already occurred 
to its left (in I and t\) and are thus bound. The instcintiated term S 2 is then 
reduced until the (partially) instantiated term <2 matches a reduct and so on. If 
all the conditions are satisfied, then all variables in the conditions are bound in 
the process of evaluating the conditions. Hence the reduct of la is well-defined 
(but in general not unique) because r contains only variables which 2 dso appear 
in the conditions. 
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The proper subterm relation is denoted by >. The next definition is b 2 ised 
on the well-known fact that if >- is a well-founded partial order which is closed 
under contexts, then the order >-«t= (>- U >)"*■ is also well-founded. 

Definition 2. A deterministic 3-CTRS {,T,TV} is called quasi-reductive if there 
is an extension T' of the signature T (so T C T') and a reduction order y 
on T{!F',V) which, for every rule I r -4= ti,. . . ,Sk tk G 71, every 
substitution cr: V — l T(^',V), and every 0 <i < k satisfies: 

1. if SjO V tjff for every 1 < i < i, then la yst s,+ia, 

2. if SjO y tjO for every \ < j <k, then la y ra. 

Quasi-reductive deterministic 3-CTRSs were introduced by Ganzinger [Gan91, 
Def. 4.2] without mentioning that the original signature can be extended. This, 
however, is crucial because otherwise Propositions 4.3 amd 4.4 in [Gan91] would 
be incorrect. For instance, [Gan91, Prop. 4.3] states the following sufficient con- 
dition for quasi-reductivity (cf. [BG89]); Let T' be an enrichment of the orig- 
inal signature T such that the order >- can be extended to a reduction order 
over T{T',V'). A deterministic rule Z r 4= si -¥ t\, ... ,Sk -¥ tk is quasi- 
reductive if there exists a sequence hi[x) of terms in T{T' ,V), x 6 V, such that 
Z ^ hi{si),hi{ti) y hi+i{si+i), 1 < i < fc, and /ijb(tfc) h r. 

In order to show that [Gan91, Prop. 4.3] would be incorrect if signature 
extensions are not allowed, consider the 1-CTRS from [DOS88] 

r 6->c 

n = { m /(o) 

I a c <= b c 



over the signature T = {a, 6, c, /}. Note that no reduction order on T[T, V) can 
prove quasi-reductivity of 72. because no paurtial order >- on T{T,V) which is 
closed under contexts and has f{b) y f{a) can have a y b. However, [Gam91, 
Prop. 4.3] is applicable with T' = !F\J {h} amd y = , where 



72'= < 



b-¥ c 

m ^ /(o) 

o —1 h{h) 
y h(c) -¥ c 



The relation >- is a reduction order on T{T',V) because 72' is terminating. 
Next, we will introduce the new notion of quasi-decreasingness. 

Definition 3. A deterministic 3-CTRS {3-, 72) is called quasi-decreasing if there 
is a well-founded partial order y on T{T,V) satisfying: 



2. y has the subterm property (hence y = yst), 

3. for every rule I r <= St -> Zi, . . . , s* tk G 72, every substitution a, and 
0 <i < k: if sja—^^tja for every 1 <J <i, then la y st+ia. 
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Lemma 4. Every quasi-reductive deterministic 3-CTRS is quasi- decreasing. 

Proof. If (^, Tl) is quasi-reductive, then there is an extension !F' of the signa- 
ture P and a reduction order > on T{E',V) which meets the requirements of 
Definition 2. It follows that the relation on T{T',V) is a subset of >; see 
[Gan91, Lemma 4.5]. Let >- denote the restriction of >,t to T{T,V). Clearly, 
is a well-founded order on T{T,V) such that C >~ and >C>-. Thus 
Tl is quasi-decreasing w.r.t. >- provided that for every rule I r s\ -¥ 
ti,...,Sk -^tk €11, every substitution a: V ^ T{P,V), and 0 <i < k we have: 
Sja—^^tj<7 for every 1 < J < * implies la >■ Sj+icr. Obviously SjU > tja is a 
consequence of sja-^^tja, where 1 < j < »• Since [J^,1V) is quasi-reductive, it 
follows la >st Si+ia. Finally, we obtain la >■ Sj+icr from la,Si+ia e T{T,V). 

We do not know whether or not quasi-decreasingness implies quasi-reduc- 
tivity. It is favorable, however, to handle quasi-decreasingness because it has two 
advantages over quasi-reductivity: (i) It does not depend on signature extensions 
and (ii) in requirement (3) of Definition 3, la >~st Sj+icr must hold only if sja 
tja whereas it must hold for all sja ^ tja according to Definition 2(1). 

Finite quasi-reductive deterministic 3-CTRSs have a terminating and com- 
putable rewrite relation [Gan91,ALS94] and the same holds for quasi-decreasing 
systems. Our next goal is to provide a systematic way of showing quasi-reductivity. 
To this end, we transform every deterministic 3-CTRS 1Z into an unconditional 
TRS U{H). For normal 1-CTRSs, a similar transformation was already given 
in [BK86, Def. 2.5.1]. Marchiori [Mar96,Mar95] studied such transformations of 
1-CTRSs (which he called unravelings) in detail. 

Definition 5. Let TZbe a deterministic 3-CTRS over the signature T. For every 
rewrite rule p : I r ^ c € 11, let \p\ denote the number of conditions in 
p. In the transformation, we need jpj fresh function symbols t/f , . . . , I/|^j for 
every conditional rule p £1Z. Moreover, by abuse of notation, Var (resp. £Var) 
denotes a function which assigns the sequence of the variables (in some fixed 
order) in the set Var{t) (resp. £Var(t); cf. Def. 1) to a term t. We transform 
p : I r <= Si fi,...,S|p| — > t\p\ into a set U{p) of \p\ -I- 1 unconditional 
rewrite rules as follows: 



I C/f(si, Vor(O) 

f/f(ti, Vor(O) -> Ui{s 2 ,Var{l),£Varih)) 

Var(i),£’Var(ti)) I/^(s3, Vor(/),£’Vor(ti),£^Vor(t 2 )) 

UCp\{t\p\,Var{l),£Var{ti), . . . ,£Var{t\p\^i)) -> r 

Since 1Z is deterministic, the system U {1Z) = ^ unconditional 

TRS over the extended signature T' — 

Var(Z') holds for every reunite rule I' —¥ r' € U{1Z)). In the following, the symbols 
from T' \T are called U -symbols. 
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For example, the transformation of the quicksort system is 

spZ*t(x,[])^ ([],[]) 

split{x,y : ys) U{{split{x,ys),x,y,ys) 
U[{{xs,zs),x,y,ys) U^ix < y,x,y,ys,xs,zs) 

U 2 {true, x, y, ys, xs, zs) -> {xs, y : zs) 

sjAit{x,y : ys) -)• U['{spiit{x,ys),x,y,ys) 
Ui'{{xs,zs),x,y,ys) U^'ix < y,x,y,ys,xs,zs) 

U' 2 {false,x,y,ys,xs,zs) {y : xs,zs) 

gsort([l) [] 

qsort{x : xs) U"'{split(x,xs),x,xs) 

U"'({ys, zs),x,xs) -> qsort{ys) -H- (x : qsort{zs)) 

If functions are specified via distinct cases as in the split function (that is, the left- 
hand sides of two or more rules and a prefix of the sequences of their conditions 
coincide), then the transformation can be “optimized” as follows: 

split{x,y : ys) U[{split{x,ys),x,y,ys) 
U[{{xs,zs),x,y,ys) {/^(x < y,x,y,y$,xs,zs) 

U 2 {true,x,y,ys,xs,zs) {xs,y : zs) 

U' 2 {false,x,y,ys,xs,zs) {y ; xs,zs) 

We omit the formal definition of this obvious optimization of the transformation 
U. It turns out that termination of 1/(72.) is a sufficient but not a necessary 
condition for quasi-reductivity of 72. 

Proposition 6. If U (72) is terminating, then 72 is quasi-reductive. 

Proof. Let >- = a reduction order on T{T' ,V). For 

every rule / -> r Si — t <i , . . . , s* — 1 in 72, we show that SjU ytj<j for every 
1 < j £ * < ^ implies la Si+\a. We have the following derivation 

-^u(U) U^{si,Var{l))a 
~^u{n) U^{ti,Var{l))a 

U^{s 2 ,Var{l),£Var{ti))a 

Var{l),£Var{h), £Var{ti _2 ))a 
->( 7 (K) t//+i (*i+i ’ Var(Z), fVoT-(ti ), . . . , £Var{ti))a 



because Sja tja. Thus la >~st Si+ia. Requirement (2) of Definition 2 can 

be shown similarly. 

A similar result for normal 1-CTRSs and a surprising counterexample to the con- 
verse of Proposition 6 can be found in [Mar96,Mar95]. In our quicksort example, 
termination of the transformed system can be shown automatically by the de- 
pendency pair method of Arts and Giesl [AG97a]. Thus the quicksort system is 
quasi-reductive. 
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4 The Main Theorem 

Although quasi-decreasingness of a deterministic 3-CTRS Ti does not imply ter- 
mination of U{TZ), it does imply innermost termination of U{'R). This entire 
section is dedicated to a proof of this non-trivial fact. 

Definition 7. Let H be a deterministic 3-CTRS and U{'R) its transformed 
TRS. Vie define a transformation V: T{T',V) -¥ T{T,V) by 

{ t i/tevu.rw 

/(V(fi), . . . , v(t„)) if t = f{h ,...,t„),fe 
It if t = U^{u,ti,...,t„,...) 

where I is the left-hand side of the rule p, Var{l) = xi,...,Xn (that is to say, 
U^{u,Var{l),...) = Uf(u,xi,...,x„,...)j, andr: Var(l) -t T(T,V) is defined 
by r(xj) = V{tj). For any a, we define crv by xay = V(xcr). 

For instance, if TZ = {pi : f{x,y) -¥z-^x-^z,p 2 :a-¥b-^ g{c) -> d}, 
thenU{TZ) = {f{x,y) -> 17f’(x,x,y),f/f‘(z,x,y) ->• z,a U^^{g{c)),U^^{d) -)■ 
6} and for the term t = p({7f^([/f^(d),17f*(6),f/f*(a,6,C/f^(d)))), wehave V(t) = 
9{f{a,f{b,a))). 

Informally, in a derivation D : s where s € T(.F, V), V replaces 

every maximal U-subterm u (a U-subterm is a subterm with a {/-symbol at the 
root) by V(u) G T{F,V) - the term which created u in D. 

Lemma 8. Let s € T{T,V). If s ^u(Ti) s V(t) ^u{n) *• 

Proof. By induction on the length £ of the derivation D : s ^u(n) The 
base case ^ = 0 is obviously true. So suppose D : s f Ac- 

cording to the inductive hypothesis, we have s V(t') ^u{n) t'- We show 
^(^0 ^(0 ^u(Ti) t by case analysis. Suppose first that the redex contracted 

in the step t' -^u(n) I is below a {/-symbol. Note that la -^u{n) Ui(si,Var{l))a 

or U^{ti,Var{l),...)a ^u(n) Ui+\{si+i,Var{l), . . .)a imply that every argu- 
ment in the terms U({si,Var(l))a «md {/,^i(si^_i, Vor({), . . . )cr is in normal 
form except for (possibly) the first one. This means that the redex contracted 
in t' -^u(n) t is a subterm of the first argument of some {/-subterm of t'. So 



V({) = V(f') -41/(7?) t' 4{/(7j) t 

because the definition of V(t) is independent of the first eirgument of {/-subterms 
of {. Next, we assume that there is no {/-symbol above the contracted redex. Note 
that if t' = C[l'a] 6 TiF'^V) with ^ r' G U{TZ) and there is no {/-symbol 
above I'a in C, then V(t') = V(C')[V ({'</)]. Thus, it suffices to show the claim 
for the following cases: 
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1. t' = la -^u{n) where I r eV.- 

2 . t' = la Uy{si,Var{l))a = t. 

3. t' = U^{ti,Var{l),...)a -^u{n) U?^^{si+i,Var(l), . . .)a = t. 

V ra = t. 

The first three cases are easy to prove. In case (4), we have V(t') = V(itr) = 
las;. By the inductive hypothesis, V(t') = la^; ^u(k) t' holds true. Moreover, 

V(f) = rcTv- Thus one must show that las; ras; ^u(tl) The derivation 
D must contain a subsequence 

D' : las; ^u{n) (si, Var(/))cr ->u{n) Ui{ti,Var{l))a 

-^U{n) U^{s 2 ,Var(l),£Var{ti))a -^u(Ti) ■■■ 

^(n) t^|p|(^|p|.Var{I),...)cr -^u{H) 

Note that nry — >*f/( 7 i) holds for every variable x £ Var{l). If length(D') < 

length{D), then the claim follows firom the inductive hypothesis. So we have to 
show it for the case D' = D. Consider the derivation Di : V(sict) = sias; ^u(Tt) 
3\o- ^u(Ti) Since length(Di) < length(D), we infer from the inductive 

hypothesis that sicry V(ficr) = tias; ^u(Ti) In particular, xas; ^{n) 
xa is true for every variable x € Var(/) U Vor(ti). By continuing along these 
lines, we derive 



sjas; tjav ^u{n) 

for all j 6 {!,..., |p|}. Consequently, las; ras;. Finally, ray -^{U) ra is 
a consequence of the fact that xas; ^VCR) xa holds for every x £ Var(i) U 
Uj=i Vor(tj) in conjunction with Var(r) C Vor(i) U Uj=i Var{tj). 

Lemma 9. If TZ is a quasi- decreasing deterministic 3-CTRS, then there is no 
infinite innermost U{'R) -derivation starting from a term s £ T{T,V). 

Proof. Let TZ be quasi-decreasing w.r.t. >-. We show by well-founded induction 
on >- that every innermost U (7^}-derivation starting from s £ T(y^, V) is finite. If 
s —y^ u £T {T, V) , then s >- u because -y-ji C >- amd it follows from the inductive 
hypothesis that every innermost U (7?.)-derivation starting from u £ T (!F, V) is 
finite. Moreover, if f is a proper subterm of s and t u £ T{T,V), then we 
infer s >- t y u because >- has the subterm property and -y-n Q Hence every 
innermost U (T^)-derivation starting from t or u is also finite. 

For a proof by contradiction, suppose that there is an infinite innermost 
f/(7^)-derivation D starting from s. According to the above, D must be of the 
form 



D : s —y[/(Tz) f{vi,.. ■ ,Vm) — Icr •^u(n) U^{s\,Var{l))a -^u(n) • • • 
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where every Vj G i-C-, every vj is a normal form w.r.t. 

Since Uj ^u(Ti) we derive from Lemma 8 that uj V(uj) If 

Uj V(vj), then the derivation 

® - ■ -l^m) = t ^U(V.) f{vi,---,Vm) -^U(Tl) ■■■ 

is infinite which is impossible because — ^^C>- emd hence there is no infinite 
innermost f/(7i)-derivation starting firom t. Thus uj = V(vj) for every J G N. It 
is not difficult to check that s — la^ follows as a consequence. Therefore, D has 
the form 

D : s = Ictv ^u{n) ^u(H) U({s\,Var{l))a At/( 7 t) • • • 

The validity of the inequality lo-y >- sirry is a consequence of the fact that TZ is 
quasi-decreasing. Hence there is no infinite innermost U (7?.)-derivation starting 
from siiTy. Since sio-y ^u(Ti) si«r, every infinite innermost C/(7^)-derivation 
starting from si<r must be finite. The derivation D thus looks like 

s = la^ ^u(n) lo- ■^u(n) U({si,Var{l))a ^u{n) Ui(ti,Var{l))a -^uiTi) 

Now sicry ^u(Ti) ^u(Ti) yields sicry ticry ^v{Ti) hcf by Lemma 
8. It follows /(7y >- S 2 ^y because Tl is quasi-decreasing w.r.t. y and we may 
continue with the above reasoning. All in all, D must have the form 

/cry *-^u{n) Ui{si,Var{l))(T ^u(n) f^|p|(f|p|. Vor(i), . . . )a -^u(n) ••• 

Hence Icry —>ti rcr-^ ^u{n) by Lemma 8. We conclude that there is an infinite 
innermost I/(7^)-derivation starting from ray which is impossible because s = 
la^ >- ray . 

Theorem 10. IfTZ is a quasi- decreasing deterministic 3-CTRS, then U{TZ) is 
innermost terminating. 

Proof. We prove by structural induction that there is no infinite innermost 
f/(7^)-derivation stzurting from a term s G T{T',V). If (a) s is a Vciriable, then 
it is in normal form. If (b) s is a constant, then s G T and the claim follows 
from Lemma 9. Suppose (c) s = Uf{ui,..., Um). Every infinite innermost U {TVj- 
derivation starting from s must have the form 

D :s = Uf(ui,...,Um) V[/(TC) U^{vi,...,Vm) = U^{U,Var{l),...)a 
^u(n) I^m(®i+i)Var(i),...)a -^u(n) ■■■ 

where Vj G for every 1 < j < m. If s<+i is a variable, then Sj+ia G 

NF{-^mn)). Otherwise roof(si+i) G F and by case (d) there is no infinite 
innermost f/(7i)-derivation starting firom Sj+ia. A repetition of these arguments 
shows that D has the form 

D : s = Uf(ui, . . . ,Um) ^u(n) U^p^{ty\^Var{l), . . .)a ^u(n) 
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Again, if r is a variable, then ra G NF{-*u(n))- Otherwise root{r) € T and by 
case (d) there is no infinite innermost i/(7Z)-derivation starting from ra. 

(d) Suppose s = where f S T and Uj £ T{T',V). For aproof by 

contradiction, suppose that there is an infinite innermost U (7?.)-derivation 

D : S = /(ui, . . .,Um) -^U(Tl) = t . . . 

where vj € If t G T{F,V), then the assertion follows from Lemma 

9. Otherwise, t contains f/-subterms but all of them are in normal form. We may 
write t = C[wi , . . . , where C G T{T, V) and every term Wi is a (mziximal) U- 

subterm of t. In order to cope with non-left-line£ir rules, we have to distinguish 
between those iZ-subterms of t which can be created by a term without 17- 
symbols and those which can’t. For the sake of simplicity, let us assume that 
for every 1 < j < i there is a term w'j G T{T,V) such that in'- *-^uCR) ‘^j but 
for every i < j < n no such term exists. Then there is an infinite innermost 
U (T^)-derivation 

D' : s' = C[w'i,. . . ■^( 7 ^) f{vi , . . . ,Um) = t -^u(TL) ■ ■ ■ 

In order to get rid of the remaining U-subterms . . . , Wn, we mark^ every 
i < j < >^1 2 uid choose fresh variables x»+i,...,i„ with the property that 
Xj = Xk if and only if Wj = Wk for i < j < k < n. Let be the transformation 
which replaces every marked occurrence of wj in a term with Xj. We claim that 
the transformed derivation <F(D') 

<F(s') = C[tu'x , . . . . . ,Xn] ^u(n) • • • (I’m)) = -^U{n) • • • 

is an infinite innermost f/(7?^)-derivation. Since ^{s') G T{T,V), this yields 
the desired contradiction to Lemma 9. Let C[la] Cfrcr] be a reduction 

step in D', where / -> r G U{TZ). The reduction step Ccinnot take place in a 
marked subterm because every marked subterm is in normal form, so ^{C[la]) = 
tf'(C')[!F(/cr)]. Moreover, we have !F(/cr) = where is defined by xa^ = 
«P(x(t) because no proper subterm of I contains a {/-symbol. It is thus sufficient 

to show 1(7^ -^ 17 (TC) rcr^ because this yields 

^iC[la]) = nC)[l<7^] ^{C)[ra^\ = «F(C[r(T]). 

We first show Since I may be non-left-linear, we have to show that 

xa = ya implies xa^ = ya^ for every pair x,y of veiriables from Var({). So sup- 
pose that x(T contains a marked {/-subterm, say at position p. Then ycr contains 
the SEime subterm u at position p. Since u hasn’t been created in the derivation 
<?(£>') - there is no u' G T{!F, V) with u’ ^u^v.) u - it is also marked. Therefore, 
l<r 4 >->[/(TC)r£ra>. Furthermore, by the choice of the fresh variables Xi+i,...,x„, 
x(Ta> = ya^ also implies xa = ya. Consequently, la^-^u^n^ra^ is an innermost 
reduction step (for otherwise la-^mji^ra wouldn’t be innermost). This concludes 
the proof. 

' For instcince by underlining the root symbol. 




Transforming Conditional Rewrite Systems with Extra Variables . . . 



121 



5 Application 1: Modularity 

From the previous sections, we know that the following implications hold. 

U (TZ) is terminating =► is quasi-reductive ^ is quasi-decreasing 
=> U{'Jl) is innermost terminating. 

Gramlich [Gra95, Thm. 3.23] showed that a non-overlapping TRS is terminating 
if and only if it is innermost terminating. Thus, if U (Tt) is non-overlapping, then 
the above implications are in fact equivalences. However, non-overlappingness 
of U (7i) is not implied by non-overlappingness of Tl. For example, the system 
= {a 6 4= a} is non-overlapping but U{TZ) = {a U{b),U{a) -> 6} 
is not. The situation is different for syntactically deterministic 3-CTRSs which 
will be considered next. 

Definition 11. A deterministic 3-CTRS Ti is called syntactically deterministic 
if, for every I —¥ r si — > ti, . . . , Sjfe — > t* inTZ, every term ti is a constructor 
tern? or a ground TZu-normal form, where TZu = {I r \ I -¥ r c G TZ}. 

Syntactically deterministic CTRSs are a natural generalization of normal CTRSs. 
The quicksort system shows that these systems arise quite naturally. As a mat- 
ter of fact, every syntactically deterministic CTRS is strongly deterministic (see 
[ALS94] for a definition) but in contrast to the latter property, it is decidable 
whether a CTRS is syntactically deterministic or not. Strongly deterministic 
systems are interesting because of the critical pair lemma that holds for them 
[ALS94, Thm. 4.1], 

According to the next lemma, for non-overlapping syntactically deterministic 
3-CTRSs all of the above implications ^lre equivEilences. 

Lemma 12. The transformed system U{TZ) of a syntactically deterministic 3- 
CTRS TZ is non- overlapping if TZ is non-overlapping. 

Proof. Let Zi -> ri and I 2 — > r 2 be renamed versions of rewrite rules from U (TZ) 
such that they don’t have variables in common. If Zi and I 2 are left-hand sides 
of rules from TZ, then they cannot overlap because TZ is non-overlapping. If both 
h and I 2 have a 17-symbol at their root, then they cannot overlap either because 
of the shape of the [/-rules ([/-symbols only occur at root positions and the 
root symbols of two different [/-rules cannot be the same). Thus let l\ be a left- 
hand side of a rule from TZ and I 2 = U^{ti,Var{l), .. .). For an indirect proof, 
suppose that Zi and I 2 do overlap. Obviously, li must overlap with a subterm 
of t{. This, however, is impossible because U is either a constructor term or a 
ground T^u-normal form. 

Lemma 12 can be refined to demand only exactly what is required by the proof. 
For instaince, the 3-CTRS TZ need not be syntactically deterministic; it is suf- 
ficient to demand that no left-hand side l\ of a rule from TZ overlaps a term 

^ A constructor term is a term without defined symbols. 
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ti of another rule I 2 r2 si -> , . . . , s* tk from Tl. Moreover, non- 

overlappingness of TZ can slightly be weakened in the preceding lemma. For 
instance, we may allow infeasible critical pairs as in the quicksort system by 
using the “optimized” {/-transformation explained earlier. 

Now we are in a position to prove a nice modularity result for CTRSs with 
extra variables on the right-hand sides of the rules. The reader is assumed to be 
faimiliar with the concepts of the field of moduleirity. Details and references to 
the literature can be found e.g. in [Ohl95]. Let 11 he a CTRS over the signature 
T. A function symbol f E !F is called a defined symbol if there is a rewrite rule 
I r c E 1Z such that / = root{l). Function symbols from T which are 
not defined symbols are called constructors. If Hi and H 2 are CTRSs over the 
signatures J^i and T 2 , respectively, then their combined system is their union 
1Z = Hi yj 1^2 over the signature T = Ti\J 7^2. Its set of defined symbols is 
V — T>i\JT >2 and its set of constructors is C = T\V, where T>i (Ci) denotes the 
defined symbols (constructors) in Hi. 

(1) Hi and H 2 are disjoint iS !Fi (1 T 2 = 9. 

(2) Hi and H 2 are constructor- sharing if J'l C\ H 2 = Ci D C 2 (C C). 

(3) Hi and H 2 are composable if Ci D I>2 = ^1 H C2 = 0 and both systems 
contain all rewrite rules that define a defined symbol whenever that S3rmbol 
is shared, that is to say, {l~^r^cEH \ root{l) € n V 2 } CH 1 DH 2 . 

A property V is modular for a certain class of CTRSs if, for all CTRSs {J^i,Hi) 
and (.^2,7^2) belonging to that class and having property P, their union (.Fi U 
.^2,7^1 U 7^2) also belongs to that class and has the property V. 

Proposition 13. Let Hi and H 2 be quasi-reductive (quasi- decreasing, respec- 
tively) deterministic 3-CTRSs. Their combined system 7^i U7^2 *•» quasi-reductive 

if 

1. U{Hi) andU{H 2 ) belong to a class of TRSs for which innermost termination 
is modular, and 

2. U{Hi UH 2 ) is non-overlapping. 

Proof. Since Hi and H 2 are quasi-reductive, they are quasi-decreasing by Lemma 
4. Thus the trainsformed TRSs U{Hi) and {/(T^a) are innermost terminating by 
Theorem 10. Their combination U{Hi) U (7(7^2) = U{Hi U H 2 ) is also inner- 
most terminating because innermost termination is moduleir. Since innermost 
termination aind termination coincide for non-overlapping systems, U{Hi UH 2 ) 
is terminating. Now the assertion follows from Proposition 6. 

Theorem 14. Quasi-reductivity (quasi-decreasingness, respectively) is modular 
for non-overlapping syntactically deterministic composable 3-CTRSs. 

Proof. Let Hi and H 2 be quasi-reductive non-overlapping synteictically deter- 
ministic composable 3-CTRSs. It is relatively easy to verify that U{Hi) and 
U {H 2 ) are composable since Hi and H 2 are composable (note that the [/-symbols 
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l/f used in the transformation U{p) are m^ked with the rule p). Note that in- 
nermost termination is modular for composable TRSs; see [Ohl95]. According 
to Lemma 12, the TRSs f/(72.i) and U{1i2) are non-overlapping. The system 
U{TZi U 7^2) = U{TZi) U U{'R, 2 ) is non-overlapping as well because the union 
of two non-overlapping composable TRSs is again non-overlapping. Hence the 
combined system Tii U 7^2 is quasi-reductive by Proposition 13. Furthermore, 
Til U H 2 is obviously non-overlapping and syntactically deterministic. 

As already mentioned. Lemma 12 can be generalized as follows: If functions are 
defined by distinct cases, then the “optimized” transformation described earlier 
still yields a non-overlapping transformed system U{Tt). Clearly, Theorem 14 
remains vcdid for these systems. For example, this generalized version of Theo- 
rem 14 can be applied to the function quorem which computes the quotient and 
the remainder of m and n 

0 - s{y) ->■ 0 

X — 0 — ^ X 

s(x) - s{y) -> x-y 
X < 0 false 
0 < s(x) true 
s{x) < s{y) -> X < y 
quorem{0,s{y)) -¥ (0,0) 
quoreTn{s{x),s{y)) (0, s(x)) ^ x < y —¥ true 

quorem{s{x),s{y)) {s{q),r) <= x < y — > false, 

quorem{x — y, s(y)) -> (q, r) 

and the function filter which filters all elements out of a list of natural numbers 
that have remainder r when divided by n 

0 - s(y) -> 0 

X — 0 — ^ X 
s(x) - s(y) x-y 
0 < y — > true 
s{x) < 0 -> false 
s{x) < s{y) -> X < y 
eq{0, 0) — > true 
eq{s{x),Q) false 
eq{0,s{y)) -¥ false 
eq(s(x),s(y)) -> eg(x,y) 
mod(0, y) -4 0 
mod(s(x),0) —> 0 

mod{s{x), s(y)) -> mod{x — y, s(y)) <= y <x true 
mod(s(x), s(y)) — > s(x) y < x — > false 

filter{n, r, nil) — > nil 

filter{n,r,x : xs) x : filter{n,r,xs) <= mod{x,n) r',eq{r,r') -¥ true 

filter(n,r,x : xs) — > filter{n,r,xs) -4= mod{x,n) r',eq{r,r') — > false 

Both systems are syntactically deterministic composable 3-CTRSs which can be 
shown quasi-reductive by Proposition 6 in conjunction with the dependency pair 




124 Enno Ohlebusch 



technique. Hence we can conclude from the generalized version of Theorem 14 
that their combined system is also quasi-reductive. 

6 Application 2: Well-Moded Logic Programs 

Next we will show how our results can be used to show termination of well-moded 
logic programs. We assume that the reader is familiar with logic programming 
and SLD derivations and will only review the following notions. 

If P is a predicate symbol and are terms, then P(ti , . . . , t„) is an 

atom. A Hom-clause is a formula of the form A Bm where m > 0 

and A, Bi axe atoms. A logic program P is a set of Horn-clauses. A query is a 
formula of the form <- Bi,..., Bm where m > 1 and Bi are atoms. 

A logic program V is moded if for each occurrence of £in atom A = P{ti 
there is a function > {tn, out}. If mA{i) = in {mA{i) = out) 

then position i is called an input position (output position) of A. A variable x oc- 
curs in an input (output) position in A if x € Vor(tj) for some i with myi(i) = in 
{mA{i) = out). 

Here only left-to-right SLD-derivations will be considered. In these deriva- 
tions it is always the leftmost literal of a query that is selected for the next 
resolution step. Moreover, we will restrict our attention to LR-well-moded pro- 
grams. 

Definition 15. 1. Let C = A^- B \, . . . , Bm be a clause and x € Vor(C). The 
head A of C is called a producer (consumer) of x, if x occurs in an input 
(output) position of A. The body atom Bj is called a producer (consumer) of 
X, if X occurs in an output (input) position of Bj. 

2. The clause Bq B\,... , Bm is called LR-well-moded, if every variable x 
in the clause has a producer Bi (0 < i < m) and i < j for every consumer 
Bj (1 < j < m) of X in the body of the clause. A logic program V is LR- 
well-moded if every clause in V is LR-well-moded. 

3. A query B\,..., Bm is LR-well-moded if every variable x in the query has 
a producer Bi such that for every consumer Bj of x we have i < j. 

By this definition, if 4- Bi,... , Bm is LR-well-moded and Bi = P{ti, . . . ,t„), 
then, for all input positions i of Bi , U is a ground term. 

We transform every LR-well-moded logic program V into a deterministic 3- 
CTRS R-p as in [GW93,ALS94]. For every atom A = Pih, . . . ,t„) with input 
positions ii,...,i* and output positions there are two new func- 

tion symbols Pj„ and Pout and we define Pin{A) = PiniUi, ■ ■ ■ Pout{A) = 
PoutiUu+i,- ■■■>ti„), and p{A) = pi„(A) -> pout{A). The transformation p{C) of 
a clause C = A <- Bi, . . . , Bm is defined to be the rule 

p{A) 4= p{Bi), . . . ,p{Bm) 

and with every logic program V we associate R-p = {p{C) | C in P}. 
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Note that Rp is a syntactically deterministic 3-CTRS over the signature 
Fp = U Fp, where F^ = {Pin, Pout jP is a predicate in P} and F^ = 
{/ 1 / occurs in a term of an atom in V}. 

As an example, consider the logic program V which implements the quicksort 
algorithm: 

gsort([],[]) <- 

qsort(x : l,s) split{l,x,li,l2),QSort(li,si),qsort{l2,S2),app{si,x : S2,s) 
sp/it([], a;, [],[]) ^ 

split{x : l,y,x : li,l2) +- less{x,y),split{l,y,h,l2) 
split{x : l,y,h,x : k) ■«- geq{x,y),split{l,y,li,l2) 

with input positions m,,ort(l) = tn,p<«(l) = mspnt{2) and output positions 
”i?sort(2) = Tnspiit(3) = Tn,piii{4). The transformation yields the deterministic 
3-CTRS Rp 

qsortinil]) -> gsorto„t([]) 

qsortin{x : 1) qsortout{s) •«= sp2itj„(l,x) split out{h,h), 

qsortinih) qsortout(si), 

qsortinih) -t qsortout{s 2 ), 
appi„{si,x: S2) -t appoutis) 



sp2itjn([]> ^ ®p2*iout([]) []) 

splitinix : l,y) splitout{x : hjh) 4= lessi„(x,y) lessout, 

splitin{l,y) -t splitoutihyh) 

splitinix :l,y)-*^ splitont{li,x : h) ^ 9^qin{x,y) -t geqont, 

splitinihy) -t splitout{li,l 2 ) 



Note that each rule of Rp has the form . . . , P^nti'^i, • • • > ^°o) 

Pini^l-: ■ .“mj ^ . . -yPtni^l, ■ ■ • , J P^M, ■ ■ • 

where uf € T{Fp, V). In particular, every I r ^ s\ -> ti, . . . , s* t* in 
Rp satisfies: (1) The root symbol is the only defined symbol in I and Sj, and (2) 
r and U are constructor terms. 



Definition 16. An LR-well-moded logic program V is (uniquely) terminating 
if, for every LR-well-moded query A, every left-to-right SLD-derivation is 
terminating (and every left-to-right SLD-refutation computes the same answer 
substitution). 

Ganzinger and Waldmann [GW93, Thm. 14] showed that quasi-reductivity of 
Rp proves termination of an LR-well-moded logic progrcim V. Avenhaus and 
Lorfa-Saenz [ALS94, Thm. 5.1] proved that unique termination follows from 
quasi-reductivity and the joinability of all conditional critical pairs. 

By means of the following implications 



U(Rp) is terminating => Rp is quasi-reductive P is terminating 
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it suffices to show termination of U(R-p) in order to prove termination of the 
quicksort program. Termination of U{R-p) can automatically be shown with the 
dependency pair technique; see [AG97a]. Thus the quicksort program is termi- 
nating. Since every conditional critical pair in R-p is infeasible (hence joinable), 
the logic program is also uniquely terminating. 

Arts and Zantema [AZ95,AZ96] stated an imperative procedure^ which di- 
rectly transforms a logic program V into an unconditional TRS. The TRS ob- 
tained by this imperative procedure^ is essentitdly the same as U{Rp). Arts 
and Zantema showed that single- redex termination of U{Rp) suffices to prove 
termination of V\ see [AZ95, Thm. 4.8] and [Art97, Thm. 8.2.9]. We recall the 
definition: 

Definition 17. A reduction step s t is called a single-redex reduction step if 
s contains exactly one redex. If a term does not have exactly one redex, then it 
is in single-redex normal form. A single-redex derivation is a reduction sequence 
consisting solely of single-redex reduction steps. A TRS R is called single-redex 
terminating if all single-redex derivations are finite. 

Note that innermost termination implies single-redex termination. Due to the 
following hierarchy (note that U (Rp) may be overlapping) 

U{Rp) is terminating ^ Rp is quasi-reductive => Rp is quasi-decreasing 
=> U{Rp) is innermost terminating ^ U{Rp) is single-redex terminating 

it seems that the method of Arts and Zantema is more powerful them Ganzinger 
and Waldm^mn’s, in the sense that more logic programs can be proven termi- 
nating by the former method. Theorem 19, however, implies that both methods 
are equally powerful. To prove it, we need the following lemma. 

Lemma 18. Suppose U{Rp) is single-redex terminating. If every vj in u = 
Pin{vi, . . . ,Vm) is a term in T{F^,V), then every U{Rp) -derivation starting 
from u is finite. 

Proof. It is fairly easy to see that every t/(il 7 >)-derivation starting from u is a 
single-redex derivation. Thus it is finite. 

Theorem 19. IfU{Rp) is single-redex terminating, then it is terminating. 

Proof. By structur£d induction on u, it will be shown that every U (i?p)-derivation 
starting from u is finite. If u is a variable, then it is in normal form. If n is a con- 
stant, then it is either in normal form or Lenuna 18 applies. If u has a 17-symbol 
at its root, then the assertion follows as in the proof of case (c) in Theorem 
10. So suppose u = Pin{vi, ■ ■ ■ ,Vm), where at least one of the vj contains a 
function symbol / F^. By the inductive hypothesis, every t/(/?p)-derivation 

starting from vj is finite. For a proof by contradiction suppose there is an infinite 
U (ilp)-derivation 

D : u = Uo Ui -4 M 2 ^ • 

^ There is a flaw in the procedure which has been corrected in [Art97, Def. 8.2.2]. 

* More precisely, by the imperative procedure in [Art97, Def. 8.2.2]. 
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The proof idea is to eliminate adl “aliens” in the terms Uj by a function and 
to show that the derivation '^{D) is still infinite. In u, every maximad proper 
subterm t with a {/-symbol or a function symbol from Fp at the root is an 
alien. Informally, every “descendant” of an adien from u is an alien in Uj. In 
order to formally define what an alien is, we need the two functions # and !? 
defined below. 



{ t if f € V, 

),..., <f(t„)) \ft = feF^, 

z otherwise 

where z is a fresh variable (i.e., it does not occur in <). So if t = C[t \,. . . ,f„], 
where C 6 T(Fp,V) and either root{tj) is a {/-symbol or root{tj) € Fp, then 
m = c[z,...,z]. 

- j Pi^ih), ■ ■ ■ ,^(tn)) ift = p{ti,...,tn), pE F^ , 

- \ . . . , Htn)) if t = {/f(ti , . . . , in). 

Note that iP is only partially defined. Suppose t has only {/-symbols above the 
leftmost outermost function symbol which is in Fp. 'F does not modify this 
symbol or any of the {/-symbols above it. All other function symbols in t that 
are not in Fp are then replaced with the variable z by the function #. 

Now the aliens in uj are those subterms of Uj which are replaced with the 
fresh variable z when F is applied to Uj. We write Uj -¥a Uj+i if the contrsicted 
redex is a subterm of an alien in uj and Uj -¥na Uj+i otherwise. It is not difficult 
to show that for every alien t in Uj there is £in alien s in u such that s * t. Since 
every {/(ilp)-derivation stmting from s is finite, the relation -¥a is terminating. 
Consequently, D must contain infinitely many — ^„o steps. It is obvious that 
Uj — Uj+i implies F{uj) = F{uj+i). Moreover, if Uj ->„o u^+i, then F{uj) — > 
F{uj+i). This fact can be proven as follows. Write Uj = C[lcr] ->no C[r&\ = Uj+i, 
where I —> r 0. U{R-p). By the form of the rewrite rules in U{Rp), we have 
F{la) = It, where r is defined by it = Fixer). It is fairly simple to prove that 
It -^rr = F(rcr) which yields F{uj) = FiC)[F{la)] !?(C)[!?(rtT)] = uj+i. By 
putting all the facts together, we conclude that the {/(i{ 7 ?)-derivation 

F{D) : F{u) = F{uo) ->* F{ui) ->* F{u 2 ) . 

is infinite. Furthermore, F{u) = PiniF{vi), . . . ,F{vm)) and every F{vj) is an 
element of T{Fp,V). This, however, contradicts Lemma 18. 

We have seen that the termination proof technique of Ganzinger juid Waldmainn 
is as powerful as that of Arts and Zantema. All in all, we suggest that one takes 
the best of both worlds: 

1. The two-stage tr^ulsformation consisting of the phases (i) translation of a 
logic program V into a deterministic 3-CTRS R-p and (ii) translation of Rp 
into an unconditionfd TRS U(Rp) is much easier to grasp than a direct 
transformation via am imperative procedure. It is thus preferable. 
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2. Unique termination of V can be proven on the level of 3-CTRSs whereas 
there is no similar method for TRSs. So the two-stage tr 2 insformation has 
amother advantage over the direct transformation. 

3. We have seen that in both approaches to proving termination of an LR-well- 
moded logic program V it boils down to proving innermost termination of 
the unconditional TRS U(R-p)- Since the latter can be automated by the 
dependency pair technique [AG97b], the whole method can be automated; 
cf. [Art97]. 

It should be pointed out that the methods don’t yield a complete criterion for 
proving termination of LR-well-moded logic programs; see [GW93]. 

7 Related Work 

As alreaidy mentioned, the idea of transforming conditional rewrite systems into 
unconditional ones dates back to the work of Bergstra and Klop [BK86], where 
such transformations were used as a heuristic tool to construct counterexamples 
to confluence of certain classes of CTRSs. Bergstra and Klop did not explore 
the formal aspects of these transformations. This was done ten years later by 
Marchiori [Mar96]. He showed that some parts of the theory of CTRSs “can 
be automatically recovered from the theory of TRSs”. In [Mar97], the limits of 
transformational approaches are discussed. Other transformations can be found 
in [GM88] zmd [Hin95]. The applicability of Giovanetti and Moiso’s [GM88] 
transformation is rather limited because it is designed to preserve “the equiv- 
£ilence relation induced on terms”. Hintermeier [Hin95] provides a two-phase 
transformation (based on order-sorted rewriting) from the class of decreasing 
and ground confluent CTRSs to TRSs. 

Many methods have been proposed to prove termination of logic programs 
cind we will not attempt to review all of these here. Instead, we refer to the 
overview article of de Schreye and Decorte [SD94]. More recent approaches 
to proving termination of logic programs are discussed in Krishna Rao et al. 
[KRKS98]. We will only briefly comment on other transformational techniques. 
To the best of our knowledge, the first termination proof technique for well- 
moded logic programs which uses a transformation of logic programs into TRSs 
was described by Krishna Rao et al. [KRKS92]. However, Ganzinger and Wald- 
mann’s method is not only conceptually easier but it is also able to prove termi- 
nation of logic programs for which the method in [KRKS92] fails. An approach 
similar to that of Arts emd Zantema was suggested by Aguzzi and Modigliaini 
[AM93]. In contrast to the other techniques, however, their method does not 
require any prior information about modes of predicates because these are com- 
puted during the transformation according to a given query. The transforma- 
tional approach of Maurchiori [Mar94] is rather complex but it cam handle logic 
programs for which the methods described above frul. It is sound and complete for 
two subclasses of the class of well-moded logic progreuns, viz. simply well-moded 
and flatly well-moded programs. Lastly, another translation of logic prograuns 
into conditional rewrite systems can be found in van Raamsdonk [Raa97]. 
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Abstract. In divisible torsion-free abelian groups, the efficiency of the 
Ccincellative superposition calculus can be greatly increased by combining 
it with a variable elimination algorithm that transforms every clause 
into an equivalent clause without unshielded variables. We show that 
the resulting calculus is not only refutationally complete (even in the 
presence of arbitrary free function symbols), but that it is also a decision 
procedure for the theory of divisible torsion-free abelian groups. 



1 Introduction 

Equational reasoning in the presence of the associativity and commutativity 
axioms is known to be difficult - theoretically [5,12], as well as practically [1, 
13-17,21]. Using AC-unification and extended clauses the worst inefficiencies of 
a naive approach can be avoided, but still the extended clauses lead to numerous 
variable overlaps - one of the most prolific types of inferences in resolution or 
superposition style calculi. Besides, minimal complete set of AC-unifiers may 
have doubly exponential size. K the theory contains adso the identity law 

x-bOssx, (U) 

then AC-unification can be replaced by ACU-unification, but the minimal com- 
plete set is still simply exponential. 

A substantial improvement can be observed when we consider structures that 
satisfy also the cancellation axiom 

x + ywx + z ^ y ^ z, (K) 



or the inverse eixiom 



X + (— x) w 0 , (hiv) 

(which implies (K)), that is, when we switch over from abelian semigroups or 
monoids to abelian groups (ACUInv) or at least cancellative abelian monoids 
(ACUK). The cancellative superposition cadculus (Ganzinger and Waldmann [10, 
18]) is a refined superposition calculus for cancellative abelian monoids which 
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requires neither explicit inferences with the theory clauses nor extended equa- 
tions or clauses. Strengthened ordering constraints lead to a significsint reduction 
of the number of variable overlaps, compared with traditional AC-calculi. Some 
variable overlaps remain necessary, however. 

In (non-trivial) divisible torsion-free abelian groups, e. g., the rational num- 
bers and rational vector spaces, the abelian group axioms ACUInv are extended 
by the torsion-freeness axioms 



kx » ky => X fny (T) 

(for £ill A: 6 N^°), the divisibility axioms^ 

k div-byk{x) w x (Div) 

(for all fc G N^®), and the non-triviaJity 2 ixiom^ 

a 560 . (Nt) 

Divisible torsion-free abelian groups (DTAGs) allow quantifier elimination: 
For every quantified formula over 0, +, and ss there exists a quantifier-free for- 
mula that is equivalent modulo the theory axioms. In particular, every closed 
formula over this vocabulary is provably true or false: the theory of DTAGs is 
complete and decidable. Superposition calculi, however, work on formulae that 
do not contain any existential quantifiers, but that may contain free function 
symbols - possibly introduced by skolemization, possibly given initially. In the 
presence of free function ssmibols, there is of course no way to eliminate all 
vaxiables from a formula - not even all universally qucintified ones - but we 
can at least give an effective method to eliminate edl unshielded vzudables, that 
is, all variables not occurring below any free function symbol. This elimina- 
tion algorithm h^ls been integrated into the cancellative superposition cedculus 
in (Waldmann [20]). The resulting calculus is refutationally complete with re- 
spect to the DTAG axioms and allows us to dispense with variable overlaps 
completely. 

Starting with Joyner [11], resolution and superposition calculi have been 
shown to be decision procedures for various classes of formulae (e. g., [3, 6-9]). As 
the theory of DTAGs is decidable, it is now a natural question to ask whether the 
combination of cancellative superposition and variable elimination for unshielded 
universally quantified variables is powerful enough to be usable as a decision 
procedure for the theory of DTAGs. We show in this paper that this is indeed 
the case: The combined calculus is refutationally complete in the presence of 
arbitrary free function symbols; and it is a decision procedure, if all free function 
symbols £ire the result of skolemization. 

^ In non-skolemized form: Vi 3y: ky fss x for all A; € N^®. 

^ In non-skolemized form: By: y 0. 
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2 Preliminziries 

We will first give a short overview over the cancellative superposition calculus 
and its specialization for DTAGs. The reader is referred to (Waldmann [18, 20]) 
for more technical details.^ 

Throughout this paper we assume that our signature contains a binary func- 
tion symbol -1- and a constant 0. If t is a term amd n G N, then nt is an 
abbreviation for the n-fold sum t + 1 - f; in particular, Of = 0 and If = t. 

A function symbol different from 0 and -f- is called free. A term is called 
atomic, if it is not a variable and its top symbol is different from -I-. We say that 
a term t occurs at the top of s, if there is a position o G pos(s) such that s|o = t 
amd for every proper prefix o' of o, s(o') equads -f; the term t occurs in s below 
a free function symbol, if there is an o G pos(s) such that s|o = t and s(o') is a 
free function symbol for some proper prefix o' of o. 

The equality symbol w is the only predicate of our lainguage. Hence a literal is 
either an equation f « t' or a negated equation f 56 1 '. The symbol rs denotes either 
S 3 or 96 . A clause is a finite multiset of literals, usually written as a disjunction. 

A variable x is called shielded in a clause C, if it occurs at least once below 
a free function symbol in C. Otherwise, x is called unshielded. 

We say that an ACU-compatible ordering >• has the multiset property, if 
whenever a ground atomic term u is greater thain Vi for every i in a finite non- 
empty index set /, then u >■ 

Prom now on we will work only with ACU-congruence classes, rather than 
with terms. So all terms, equations, substitutions, inference rules, etc., are to 
be taken modulo ACU, i.e., as representatives of their congruence classes. The 
symbol >- will always denote an ACU-compatible reduction ordering that has 
the multiset property and is total on ground ACU-congruence classes.'* 

Let A be a ground literal nu + J2iei ~ ”*** ■*" ^^^^e u, Si, and tj 

are atomic terms, n > m > 0, n > 1, cind u Sj eind u >- tj for all i G /, j G J. 
Then u is Ccilled the maximal atomic term of A. 

The ordering >- 1 , on literals compares lexicographicadly first the maximcJ 
atomic terms of the Uterals, then the polarities (negative >- positive), then the 
multisets of all non-zero terms occurring at the top of the literals, and fincilly the 
multisets consisting of the left cmd right hand sides of the literals. The ordering 

on clauses is the multiset extension of the literal ordering >-l. Both >-l and 
>~c are noetherian and total on ground literaJs/clauses. 

We denote entculment modulo equality aind ACUKT by )=acukt- In other 
words, {Cl, . . . , C„} [=acukt Co if and only if ACUKT U {Ci, . . . , C„} 1=^ Co. 

® The cancellative superposition calculus as described in (Waldmann [18, 20]) works in 
a many-sorted framework. For the purposes of this paper, it is sufficient to restrict 
to the one-sorted case. 

For ground terms, such an ordering can be obtained for instance from the recursive 
path ordering with precedence X ... X /i X + X 0 and multiset status for + 
by comparing normal forms w.i.t. x + 0 x and 0 -h x -> x. If clauses are fully 
abstracted eagerly (cf. Sect. 5), the compatibility requirement becomes void. 
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3 Cancellative Superposition 

Saturation-based theorem proving methods such as resolution or superposition 
aim at deducing a contradiction from a set of clauses by recursively inferring new 
clauses from given ones according to some inference system. A theorem prover 
computes one of the possible inferences of the current set of clauses and adds its 
conclusion to the current set, until a contradiction has been derived or a “closed” 
(or “saturated”) set is reached. 

To reduce the search space, the inference system is complemented by a redun- 
dancy criterion, which specifies inferences and clauses deemed to be unnecessary 
for deriving a contradiction. An inference that is redund£int with respect to the 
current set N of clauses need not be computed; a clause that is redundant with 
respect to N may be removed from N.^ In particular, a clause may be replaced 
by another equivalent clause, if the new clause renders the old one redundant; 
such a replacement is called a simplification. We call a (finite or infinite) sequence 
No^ Ni . a theorem proving derivation, if every ATj+i follows logically from 
Ni and every clause in Ni+i \ Ni is redundant with respect to ATj. The deriva- 
tion is said to be fair if every inference from persisting clauses is redundcint with 
respect to some N).® 

A set N of clauses is c^llled saturated with respect to an inference system and 
a redundancy criterion, if every inference from clauses in N is redundant with 
respect to N. The inference system is called refutationally complete if saturated 
sets are unsatisfiable if and only if they contain the empty clause, or equivalently, 
if every fjur theorem proving derivation starting from an unsatisfiable set of 
clauses will eventually derive the empty clause [4, 18]. 

The cancellative superposition calculus (Waldmann [18]) is a refutationally 
complete variant of the standard superposition c^dculus (Bachmair and Ganzin- 
ger [2]) for sets of clauses that contain the axioms ACUK and (optionally) T. 
Compared with standau'd or AC superposition calculi, the ordering restrictions of 
its inference rules are strengthened: Inferences are not only limited to maximal 
sides of maximal literals, but edso to maxim^ll summands thereof. As shielded 
variables sure non-maximal, this excludes in particular overlaps with such vari- 
ables. Besides emy explicit inferences with the axioms ACUKT are unnecessary. 

The inference system M of the cancellative superposition calculus^ consists of 
the inference rules cancellation, equality resolution, standard superposition, can- 
cellative superposition, abstraction, and cancellative equality factoring. Ground 
versions of four of these rules are given below.® 

The following conditions are common to the rules of R: Every literal involved 
in an inference must be maximeJ in the respective premise (except for the last 

® Redundancy criteria need not be (^lnd usually are not) decidable. For an implemen- 
tation, having a decidable approximation is sufficient. 

® In particular, every inference whose conclusion is contauned in Nj is redundant with 
respect to Nj. 

'' In [18], this inference system is denoted by GS-Infff>o. 

® We leave out the rules standard superposition and abstraction, as the restriction to 
fully abstracted clauses (in Section 5) will make them superfluous an 3 rway. 
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but one literal in cancellative equality factoring inferences); a positive literal 
involved in a superposition inference must be strictly m^lximaI. In superposition 
inferences, the left premise is smaller than the right premise. 

C V mu -(- s « m'u + s’ 

C" V (m — m')u -I- s « s' 
if m > m' > 1 and u >- s, u y s'. 

C' V 0 56 0 

C 

D' y nu-\-tmt' C" V mu -I- s « s' 

D' V C V ips + xt' 

if m > I, n > I, Ip = n/gcd(m,n), x — m/gcd(m,n), 
and u y 8, u y s' , u y t, u y t' . 

C y nu + tm n'u + t'y mu -H s « s' 

C y tpt-f- xs' 56 xs + V"*' V nu -h t i=« n'u + t' 
if m > 1, n > n' > 0, u = n — n' , tp = m/ gcd(m,i/), 

X = vj gcd(m, v), and u y s, u y s' , u y t, u y t' . 

The system is sound with respect to ACUKT. That is, for every inference 
with premises and conclusion Co, we have {Ci , Cn} ^acukt Co- 

Lifting the inference rules to non-ground clauses is relatively straightfor- 
ward as long as we restrict to clauses without unshielded veuriables. We have to 
take into account that, in a clause C = C' V A, the maximal literal A need 

no longer have the form mu - 1 - s w s', where u is the unique m^lximal atomic 

term. Rather, a non-ground literal such as /(x) -I- 2/(y) + b ^ c may contain 
severed (distinct but ACU-imifiable) maximad atomic terms u* with multiplici- 
ties m*, where k ranges over some finite non-empty index set K. We obtain thus 
A = + s IV s', where corresponds to m in the ground lit- 

eral above. As in the standard superposition calculus, the substitution a that 
unifies zdl u* (and the corresponding terms Vf from the other premise) is applied 
to the conclusion. For instance, the cancellative superposition rule has now the 
following form: 



Cancellation 



Equality Resolution 



Cane. Superposition 



Cane. Eq. Factoring 



Cancellative Superposition 



D' y A2 C y Ai 
(£>' y C y Ao)a 



if the following conditions are satisfied: 

- Ai = Ejfeejf + s w s'. 

- A2 = 
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- m = J2k€K > 1, n = ^ 1- 

- tp = n/ gcd(m, n), x = gcd(m, n). 

- u is one of the Uk or vi (k E K, I & L). 

- <7 is a most general ACU-unifier of all u* and vi (k E K,l E L). 

- u 2< s, u ^ s', u ^ t, u ^ f'. 

- Ao = rps + xt' ^Xt + ips'. 

The lifted versions of the rules cancellation and cancellative equality factoring 
axe obtained analogously. 

In the presence of unshielded variables, it is still possible to devise (more 
complicated) lifted inference rules that produce only finitely many conclusions 
for a given tuple of premises. We do not repeat these rules here, as the addi- 
tional theory axioms DivInvNt make it possible to eliminate unshielded variables 
completely. The elimination of unshielded variables happens in two stages. First 
we show that every clause is logically equivalent to a clause without unshielded 
variables. Then this elimination algorithm has to be integrated into cancellative 
superposition. Our main tool for the second step is the concept of redundancy. 

Let Co, Cl,... ,C* be clauses and let 0 be a substitution such that CiO is 
ground for all i € {1, . . . , fe}. If there are inferences 

Ck ... Cl 
Co 



and 



Ckd ... Ci9 
Co9 

then the latter is called a ground instance of the former. 

Let iV be a set of clauses, let N be the set of ground instances of clauses 
in N. An inference is called ACUKT-redundant with respect to N if for each 
of its ground instances with conclusion Cq9 and maiximal premise C9 we have 
{DeN\D-<cC9} ^acukt Cq9. a clause C is called ACUKT-redundant with 
respect to N, if for every ground instance C9, {D E N \ D -<c C9} |=acukt C9. 

Theorem 1. The inference system ^ is refutationally complete with respect to 
ACUKT, that is, a ^-saturated set of clauses is unsatisGable modulo ACUKT if 
and only if it contains the empty clause (Waldmann [18]). 

4 Variable Elimination: The Logical Side 

It is well-known that the theory of DTAGs allows quantifier elimination: For 
every quantified formula over 0, and « there exists an equivalent quantifier- 
free formula. In the presence of free function symbols, there is of course no way 
to eliminate all vmiables from a clause, but we C8m at least give an effective 
method to eliminate all unshielded variables. 
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Let a: be a variable. We define a binary relation ->x over clauses by 

CancelVar C V mx -t- s « m'x + s' C V (m— m')x -1- s « s' 

if m > m' > 1. 

ElimNeg C V mx -I- s 56 s' ->* C 

if m > 1 and x does not occur in C", s, s'. 

ElimPos C V mix -f si « s^ V . . . V m^x -h s* « s* C" 

if mi > 1 and x does not occur in C, S{, sj, for 1 < i < fc. 

Coalesce C V mx -I- s 96 s' V nx -I - 1 « t' 

-+* C V mx + s 96 s' V xs' « ipt' + xs 

if m > 1, n > 1, V* = m/gcd(m,n), x = n/gcd(m,n), and x does 

not occur at the top of s,s',t,t'. 

The relation -¥x is noetherian. Let the binary relation -teiim over clauses be 
defined in such a way that Co ^eiim <^1 if and only if Co contadns an unshielded 
variable x and Ci is a normal form of Co with respect to • Then -teum is 
again noetherian. For any clause C, let elim(C) denote some (arbitrary but fixed) 
normal form of C with respect to the relation — teiim- 

Lemma 2. For every clause C, elim(C) contains no unshielded variables. 

Lemma 3, For every clause C, {C} U DivInvNt )=acukt elim(C) and 
{elim(C)} )=ACUKT C. For every ground CO, {elim(C)l 9 } [=acukt CO [18]. 

Proof. If Co — Cl by CancelVar, the equivalence of Co and Ci modulo ACUKT 
follows from cancellation; for Coalesce, from cancellation eind torsion-freeness. 
The soundness of ElimNeg follows from the inverse and divisibility axioms, for 
ElimPos it is implied by torsion-freeness and non-trivieJity. □ 

Using the technique sketched so far, every clause Co can be treinsformed 
into a clause elim(Co) that does not contain unshielded vciriables, follows from 
Co and the DTAG axioms, and implies Co modulo ACUKT. Obviously, we can 
perform this transformation for all initially given clauses before we start the 
saturation process. However, .^-inferences from clauses without unshielded vari- 
ables may produce clauses with unshielded variables. To eliminate these clauses 
during the saturation process, it is not sufficient that they follow logically from 
some other clauses: redundancy requires that they follow from some suhSciently 
small clauses. Unfortunately, under certain circumstances the transformed clause 
elim(Co) may not be small enough. Hence, to integrate the variable elimination 
algorithm into the CMcellative superposition calculus, it has to be supplemented 
by a case analysis technique. 

5 Variable Elimination: The Operational Side 

Let ( be an inference. We C2ill the imifying substitution <r that is computed 
during i £ind applied to the conclusion the pivotal substitution of i. (For ground 
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inferences, the pivotal substitution is the identity mapping.) If A is the last 
litercil of the last premise of i, we call Aa the pivotad literal of t. Finally, if uq is 
the atomic term that is cauicelled out in t, or in which some subterm is repljiced 
or abstrjicted out, then we call uoa the pivotal term of i. Pivoted terms have 
two important properties: First, whenever an inference i from clauses without 
unshielded variables produces a conclusion with unshielded variables, then all 
these unshielded variables occur in the pivotal term of t. Second, no atomic 
term in the conclusion of i can be larger than the pivotal term of t. 

A clause C is called fully abstracted, if no non-variable term occurs below a 
free function symbol in C. Every clause C can be transformed into an equivalent 
fully abstracted clause abs(C) by iterated rewriting 

where x is a new variable and t is a non-variable term occiurring immediately 
below the free function symbol / in C. It should be noted that the variable 
elimination algorithm preserves full abstraction, so that for every clause C, 
elim(abs(C)) is a logically equivalent clause that is fully abstracted and does 
not contain unshielded variables. 

In the sequel we assume that every clause C in the input of the inference 
system is replaced by elim(abs(C)) before we start the saturation process. The 
inference system J)®** that we will describe now preserves both properties: the 
set of all fully abstracted clauses without unshielded variables is closed under 
jja6» -pjjg gystem J)®*’* is given by two meta-inference rules: 



Eliminating Inference 



Cn ■ ■ • Cl 
elim(Co) 



if the following condition is satisfied: 




is a non- abstraction and non-standard superposition .^-inference.^ 



Instantiating Inference 




if the following conditions are satisfied: 




is a non- abstraction and non-standard superposition fr-inference 



with pivoted literal A and pivotal term u. 



^ In the one-sorted cetse considered in this paper, standard superposition inferences 
from frilly abstracted clauses are impossible. In the genered many-sorted case, stan- 
dard superposition inferences must not be ignored. 
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- The multiset difference elim(C'o) \ Co contains a literal A\ with the same 

polarity as A. 

- An atomic term ui occurs at the top of A\ . 

- T is contained in a minimal complete set of ACU-unifiers of u and ui . 

The redundancy of ©“‘’'-inferences is defined in a slightly complicated way. 
Essentially, a © “^'-inference is redundant if sufficiently many ground instances 
of the .fi-inference on which it is based are redundant. For our purposes, it is 
sufficient to know that any inference is redundant with respect to a set N of 
clauses cis soon as its conclusion (or a simplified version thereof) is present in N. 

Theorem 4. If a set of fully abstracted clauses is saturated with respect to ©“*" 
and none of the clauses contains unshielded variables, then it is also saturated 
with respect to A, and it is unsatisSable modulo ACUKT U DivInvNt if and only 
if it contains the empty clause (Waldmann [18, 20]). 

If all clauses are fully abstracted, then the terms that have to be compared 
during the saturation do not contain the operator -f. In this situation, the re- 
quirement that the ordering y has to be ACU-compatible becomes void, and 
we may use an arbitrary reduction ordering over terms not containing -f- that is 
total on ground terms and for which 0 is minimal. As every ordering of this kind 
can be extended to an ordering that is ACU-compatible and has the multiset 
property (Waldmann [19]), the completeness proof is still justified. 

6 Deciding the Theory of DTAGs 

A refutationally complete calculus derives a contradiction (and terminates) when- 
ever the set of input formulae is inconsistent. To show that a refutationally com- 
plete calculus is actually a decision procedure, one has to prove that it terminates 
even on consistent inputs. Following this general scheme, we will now demon- 
strate that the calculus ©“*>* is a decision procedure for the theory of divisible 
torsion-free abelian groups. 

Let us denote by T> the class of all closed first-order formulae with arbitrary 
quantifiers and logical connectives and containing not more than the function 
symbols -I- (binary), 0 (constzmt), — (unary), div-byk (unary) for k 6 and 
the binary predicate symbol «. Given a formula F E T>, our task is to decide 
whether F is equivalent to true or to false with respect to the theory of DTAGs. 
As this theory is complete, every formula in V is equivadent either to true or to 
false, hence F is equivalent to true if and only if it is satisfiable. 

We can first of all eliminate the symbols — and div-byk firom F by recursively 
replacing any atom s[— t] « s' by Var(-i a: 1 w 0 V s[a:] « s') and einy atom 
s[dtt;-&yit (t)j » s' by kx fsi t V s[x] w s'), where x is a new variable. 
The resulting formula F\ is then converted into a formula F^ in prenex normal 
form. By skolemization, F 2 can be further translated into a formula F 3 without 
existentially quantified variables, such that F 3 is satisfiable if and only if F is 
satisfiable. Skolemization replaces the existentially quantified variables of F 2 by 
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terms /*(xi, . . . ,Xj), where the Xj are universally queintified variables and /* is 
a new free function symbol. The formula F 3 can be transformed into conjunctive 
normal form, which we represent as a finite set N' of clauses. This set N' is a 
subset of the class Pc defined as follows; A clause C is contained in Pc if and 
only if there exists a finite sequence of distinct variables xi, . . . ,x„ such that, 
for every literal s w s' in C, both s and s' are sums Y^nktk, and each tk is 
either an atomic term f(xi , . . . , xj) or a variable Xj for some i < n. The class of 
all clauses C in Pc without unshielded variables is denoted by P^'”". Obviously, 
N' C Pc can be converted into an equivalent subset N of P^*™ using the variable 
elimination algorithm described above. 

We claim that there is a fair strategy for ©“‘’^-superposition that is guaran- 
teed to terminate on every finite subset of P®'”". Termination implies that with 
this strategy ©“‘'-superposition becomes a decision procedure for the satisfia- 
bihty of finite subsets of P^'*'" (and hence of formulae in P) with respect to 
ACUKT U DivInvNt. 

In the rest of this paper, we assume >- to be a lexicographic path ordering 
based on a total precedence relation that respects the arity of function symbols 
(greater arity implying higher precedence). Apart from satisfying this restriction, 
the precedence can be arbitrary. Without loss of generality, we assume that the 
function symbols occurring in the input clauses are fm >~ ■ ■ ■ >^ fi- We note that 
fj{xi,. ..,xi) >■ fk(xi ,. . . ,Xj) if and only if fj y fk if and only if j > k. 

In the one-sorted case, the inference system ©“‘* consists of the eliminating 
and the instantiating variants of the rules cancellation, equality resolution, can- 
cellative superposition, and cancellative equality factoring. We will show that for 
the special class of clauses Vf'"', instantiating inferences etfe not needed: 

Lemma 5. Every S'''”’ -Inference from clauses in P®*'"’ is an eliminating infer- 
ence. 

Proof. Assume that there is ^ln instantiating ©“‘'-inference 

Cn ... Cl 

CqT 

with premises in P®‘‘"*. Then 

Cn ••• Cl 
Co 

is a .fi-inference with pivotal literal A, pivoted term u, eind pivotal substitution a. 
Furthermore, the multiset difference elim(Co) \ Co contains a literal Ai with the 
same polarity as A, and ur = uit for some atomic term ui occurring at the top 
of A\. As elim(Go) i=- Co, the clause Co must contedn some unshielded variable x, 
and since the premises have no unshielded variables, x must occur in the pivotal 
term u. Now, as the premises Ci are clauses in there exists a fixed list 

of variables xi,X 2 , . . . such that all atomic terms in Cjcr, and thus in Co and 
elim(Co), have the form fj{x \,. . . ,xj) for some j and 1. Consequently, any two 
atomic terms in C<(t, Co, £ind elim(Co) are either equal or not unifiable. By 
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assumption, u and ui have the unifier r, hence u = ui . So x occurs in ui , and 
thus in an atomic term in elim(Co), and thus in an atomic term in Co- Hence x 
is shielded in Co, which refutes our assumption. □ 

In order to force the termination of ©“^'-superposition, certain simplification 
techniques are necessary. For a clause C, let sfact(C) be the clause obtained firom 
C by syntactic factoring, that is, by replacing every repeated liter 2 d j4 V . . . V ^4 
by A. Let sc 2 inc(C) be the clause obtained from C by synttictic cancellation, that 
is, by replacing every literal s + t ^ s + 1 with non-zero f by s w s'. 

Unlike S 3 mtactic factoring, syntactic cancellation may introduce unshielded 
variables (if the term that was cancelled out was the last term shielding some 
variable). During elimination of these unshielded Vciriables, the Coalesce rule 
may again produce syntactically equal terms on both sides of a literal. Let the 
binary relation — ^sce over clauses be defined in such a way that Co — >sce Ci if 
and only if Ci = elim(scanc(Co)) and Ci / Co- It is easy to show that ->sce 
terminates. Let us denote the normal form of a clause C with respect to ->gce 
by scanc*(C'), and let simp(C) be the clause sfau;t(scanc*(C')). 

Lemma 6. For every C € '[yf'"', if simp(C7) ^ C, then C is redundant with 
respect to {simp(C)}, that is, replacing C by simp(C') is a simpli£cation.^° 

Proof. We have to show that, for every ground instance C0, {simp(C)0} |=acukt 
C0 and simp(C7)^ -<c C0- The first part follows directly from Lemma 3. To show 
that simp(C)0 is smaller than C0, two cases have to be distinguished: If the 
transformation from C to simp((7) does not use variable elimination steps, that 
is, if simp(C) = sfact(scanc(C)), then simp(C')0 -<c C0 is obvious. Otherwise, 
scanc(C) contains some unshielded vauriable. This cem only happen if one of 
the cancelled terms is /j(xi, . . . ,xj), where fj is the largest function symbol 
occurring in C. Then simp(C)0 -<c CO, since every atomic term occurring in 
scanc(C')^ and simp(C)0 is smaller than fj{xi ,...,xi)9. □ 

In descriptions of resolution or paramodulation style inference systems, one 
assumes conventionally that all clauses are vEiriable disjoint, so that overlapping 
terms or literals can always be unified in the inference rules. To simplify the 
termination proof, we will exploit the fact that the pEirticular structure of 
allows us to use quite the opposite approach: Consider a ©“‘"-inference from 
two clauses C 2 and C\ in During this inference, the maximal atomic term 

of C 2 , say fk{x",..., x " ) , and the maximal atomic term of C\ , say fk{x'i, ... ,x[), 
are overlapped. By definition of the ordering and of the class the set of 

variables of Ci is exactly {x'i,...,x(}, and eiII atomic terms in Ci have the 
form fj{x[, . . . ,x'i) with j < k and I <i (aind analogously for C 2 ). Therefore, 
essentially the same inference is also possible, if we assume that 2 dl clauses share 
the same variables xi,X 2 , . . . , eind all non- variable terms occurring in the clause 
set have the form fj{xi,. ..,x{) for some j emd 1. The pivotal substitution can 
then always be assumed to be the identity mapping, juid it is trivial to check 

The restriction to clauses in is crucial for the correctness of this lemma. 
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that the conclusion of any S)“*’*-inference uses again the variables xi,X2,--. in 
the required way. 

To saturate a given finite subset of P®'"", we proceed in a stratified way: 
We compute first all inferences involving the maximal function symbol fm, then 
continue with the function symbols /m-i. • • • , /i, and fintdly compute all equality 
resolution inferences. More formally, our strategy is defined as follows: 

Let N C P®*'*" be the set of all input clauses. 

Let fm >-•••>- /i be the function symbols occurring in N. 

Let = { sfact(C) ! C € W }. 

For k = m,m— 1 , . . . , 1: 

If is defined, let be the set obtained firom by replacing every 
clause C whose maximal function symbol is /* by simp(C). 

For r = 0 , 1, . . . : 

K Nl is defined and if there are non-redundant cancellative superposi- 
tion or cancellative equality factoring ® “^'-inferences from clauses in 
Nf with pivotal term fk{x\,...,Xi), pick one of them “don’t care” 
non-deterministically, let C be its conclusion, and let = iV* U 

{sfact(C)}; 

if Nl is defined and if there is no such inference, let = N^. 

If N* is defined, let N* be the union of N* and the set of all conclusions of 
all non-redundant equality resolution ©“^'-inferences from clauses in N*. 

Example 7. Let W = {3 /2(x,y) « /i(ar), 2 /2(a;,y) -hy^0 V f2{x,y) ^ fi(x)}, 
where maximal atomic terms of maximal sides of maximal literals are underlined. 
Then = N, 

N° = N*, 

U { 2 Mx) -h 3y 56 0 V Mx,y) 96 /i (x)} 

- by cancellative superposition of input clauses 1 «md 2, 

Nl = ATI u {/i(x) 56 3 /1 (x) } 

- by cancellative superposition of clause 1 and the newly 
generated clause (note elimination of y by ElimNeg), 

= Nl 

- as all inferences from Nl with pivotal term ftix^y) 
have been computed aind are thus redundant, 

K = ^2 \ ifi (x) 76 3^} U {0 96 2 /i(x) } 

- by simp, 

Wi* = AT? 

- as there are no inferences from N° with pivotal term 

N* = N^. 

As N* is saturated and does not contmn the empty clause, N* and N are 
satisfiable. 
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Our task is now to show that the saturation of every stratum must terminate: 

Lemma 8. Let k G {1, . . . , m}. If is defined, then there exists an r G N 
such that there is no non-redundant cancellative superposition or cancella- 
tive equality factoring -inference from clauses in NJ^ with pivotal term 

• • • ) ^^t)- 

Proof. Every ©“'’"-inference is redundant with respect to Nj^ if its conclusion C 
or an equivzdent smaller clause, such as sfact(C), is contained in NJ^. All inclu- 
sions in the sequence C C • • • C Q ... must therefore be strict. A 
clause can p 2 irticipate in an inference with pivotal term fk{x\,. only if it 
contains /* and if it does not contain any fj with j > k, or in other words, if 
fk{xi,...,Xi) is its maximal atomic terin. The set of adl such clauses in N° is 
obviously finite. We will show below that the number of such clauses in (J,. NJ^ 
is also finite. Prom these finitely many clauses only finitely many conclusions of 
inferences can be derived, hence (J^ must be finite. As the inclusions in the 
sequence are strict, the sequence is finite. 

It remains to be proved that the number of clauses with maximal atomic 
term /*(xi, . . . , Xj) in (J^ Nj^ is finite. Let M be the subset of containing all 
clauses with maximzil atomic term fk{xi,...,xi). Let L be the set of all literals 
of clauses in M, let L\ be the set of all literals in L in which /* occurs, and let 
Lo = L\Li. Note that there is no literal in L\ in which /* occurs on both sides. 
Let L'q be the set of all literals A, such that there is a cancellative superposition 
.fi-inference 

A 2 Ai 
A 

with literals A\ and A^ from Li. Let Lq be the set of all literals A, such that 
there is a cancellative equality factoring fr-inference 

A 2 V Ai 

A V A 2 

with literals Ai and A 2 from Li. Note that /* does not occur in literals from 
L'q U L'q. Let M* be the set of all clauses consisting of literals in Lq U Lq U L'q U Li 
( without duplicated literals). 

Consider an arbitrary eliminating cancellative superposition or cancellative 
equality factoring ©“'’"-inference 

Cn ... Cl 
elim(Cb) 

from premises in M* with pivotal term /*(xi, . . . ,Xi) and conclusion D = 
elim(Co). If fk{x \,. . . ,Xj) occurs in sfact(L>), then it occurs also in Co- In this 
case, all variables in Co are shielded, thus elim(Co) = Co- Since 

Cn ... Cl 

Co 




144 Uwe W 2 ildmaam 



is a cancellative superposition or cancellative equality factoring ^-inference, 
sfact(£)) = sfact(Co) is again contained in M*. As M C M*, we can con- 
clude that all clauses in IJr^* maximal atomic term fk(xi, ■ . . ,Xi) are 
contained in M*. Since M* is finite, this completes the proof. □ 

Corollary 9. and N* are defined for every k £ {1, ... ,m -I- 1}. 

Theorem 10. N t- f- I- (- . . . I- I- . . . h I- ATi h . . . h iVf h 
N* is a finite theorem proving derivation; N and N* are equivalent modulo 
ACUKT U DivInvNt. 

Lemma 11. Let 1 < k < j < m. Then all !D“'”'inferences with pivotal term 
fj{xi,. .. ,xi) Grom clauses in A^^ are redimdant with respect to N^. 

Proof. By induction, we may assume that all S“*’*-inferences with pivotal term 
fp{xt , . . . ,xi), p > k from clauses in AT^^j are redundant with respect to . 

The clauses in N* \ contain only function symbols fp with p<k. There- 
fore, every ©“’’“-inference from clauses in with pivotal term fp{xi, . . . ,Xi) 
and p > A; is an inference from clauses in AT^+j , hence it is redundant with respect 
to ATj^^. As all clauses in \ are redundzint with respect to every 
inference that is redundant with respect to is also redundant with respect 
to AT^ . Therefore it suffices to show that £ill ©“’’“-inferences with pivotal term 
fk{xi,..., Xi) from clauses in iV^ are redundant with respect to N^. 

It is easy to check that literals with fk occurring on both sides cannot occur 
at all in clauses in \ N°, and that they can occur in a clause C in only 
if some fp with p > k occurs in C. Hence there are no cancellation inferences 
with pivotal term fk{xi, ... ,Xi) from clauses in U {N^ \ N^). This 

means that all inferences from clauses in with pivotal term fk{xi, . . . ,Xi) 
are either cancellative superposition or cancellative equality factoring inferences, 
hence they are redundant with respect to by construction of N^. □ 

Theorem 12. N* is saturated, that is, all inferences from clauses in N* are 
redundant with respect to N* . 

Proof. By Lemma 11, all ©“’’“-inferences with pivotal terms fj(x \,. . . ,x/) from 
clauses in N* are redundant with respect to AT* (and hence with respect to AT*). 
Furthermore, by construction of AT*, all equality resolution inferences from 
clauses in N* are redundant with respect to N*. Since equality resolution applies 
only to clauses with maximal literals 0 96 0 and since no clause in N* contains 
repeated litereJs, no inferences are possible from clauses in N* \ N*. □ 

As N* is saturated, it contciins the empty clause if aind only if it is unsatis- 
fiable modulo ACUKT U DivInvNt. Since N and N* axe equivalent modulo the 
theory axioms, the main theorem of this paper is proved: 

Theorem 13. The saturation strategy terminates for every Gnite input set 
N C ; N is unsatisGable modulo ACUKT U DivInvNt if and only if the 
strategy derives the empty clause from N. 
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7 Conclusions 

In previous work, we have demonstrated that the cancellative superposition cal- 
culus ^ can be augmented by a variable elimination algorithm for DTAGs. The 
resulting calculus S®*** is refutationally complete with respect to the axioms 
of divisible torsion-free abelian groups and allows us to dispense with variable 
overlaps altogether. As variable overlaps are one of the most prolific types of 
inferences in resolution or superposition style calculi, integration of the variable 
elimination algorithm leads to a dramatically reduced search space compared 
with the usual cancellative superposition calculus or, even worse, AC or ACU 
superposition calculi. 

Since 1976 several resolution or superposition calculi have been shown to be 
decision procedures for certain classes of formulae (e. g., [3, 6-9, 11]). If the calculi 
in question are known to be refutationally complete, then showing that they are 
actually decision procedures amounts to proving that they terminate even on 
consistent inputs. In the present paper we have demonstrated that the calculus 
X)®*** is powerful enough to solve the decision problem for divisible torsion-free 
abelian groups. Following the general scheme described above, the termination 
proof is peculiar in two respects: First, we require that the set of clauses is 
saturated in a stratified way. Termination follows from the two fEicts that the 
number of strata is finite and that the number of new clauses derived during 
the saturation of each stratum is finite. Second, the particular structure of the 
literals and clauses makes it possible to assume that eill clauses sheire the same 
variables and that the pivotal substitution is always the identity mapping - in 
some sense, variables are treated as if they were constamts. 

What remains open at present is the precise computational complexity of our 
decision procedure. The time bound that can be derived in a straightforwcird 
manner from the saturation strategy is non-element£iry. Possibly significantly 
better bounds can be obtained for subclasses of but this is still a matter 

of further research. 

Acknowledgments: I would like to thank Patrick Maier, Jurgen Stuber, and 
the LPAR’99 referees for helpful comments on this paper. 
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Abstract. Steirting from the regular tree language E of ground constructor-instances 
of any linear term, we build a finite tree automaton that recognizes the set of descen- 
dants R* (E) of E for a constructor-based term rewrite system whose right-hand-sides 
fulfill the following three restrictions : linearity, no nested function symbols, function 
Mguments are variables or ground terms. Note that left-linearity is not assumed. We 
next present several applications. 



1 Introduction 

Tree automata have already been applied to many areas of computer science, and 
in particular to rewriting techniques [2]. In comparison with more sophisticated 
refinements, finite tree automata are obviously less powerful, but have plenty of 
good properties and lead to much simpler algorithms firom a practical point of 
view. 

Because of potential applications to automated deduction amd program vali- 
dation, the problem of expressing by a finite tree automaton the transitive closure 
of a regular set E of ground terms with respect to an equationad system, as well 
as the related problem of expressing the set of descendants of E with respect to 
a rewrite system, have already been investigated [1, 5, 13, 4, 9]^ . All those papers 
assume that the right-hand-sides (both sides when dealing with equational sys- 
tems) of rewrite rules are shallow, up to slight differences. Sh 2 illow means that 
every variable appears at depth at most one. 

On the other hand, the possibility of approximating the set of descendants 
by means of a finite tree automaton, only assuming left-linearity, h 2 is been in- 
vestigated in [7]. 

Our work is located in between : it adjusts the former papers to constructor- 
based rewrite systems where right-hand-sides are not necessarily shallow, with- 
out making an approximation. Instead, we assume that function calls in right- 
hand-sides 2 ire shallow subterms (Restriction 1). However, to get regular sets of 
descendzints, some aidditional restrictions are needed (Restrictions 2 and 3) : 

^ [9] computes sets of normadizable terms, which aunounts to compute sets of descen- 
dants by orienting the rewrite rules in the opposite sense. 
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1. For eax;h rule I -> r and each function symbol position p in r, r\p = 
f{ri , r„) where for all i, rt is a variable or a ground term^. 

2. The right-hEuid-sides aire linear and do not contain nested function symbols. 

3. E is the set of the ground constructor-instances (also called data-instances) 
of a given linear term. 

Fortunately, there is no need to start from any regular set E for applications. K 
any among the above restrictions is not satisfied, the set of descendants R*{E) 
is not regular in general. If it were, the set of normal forms R: (E) of E would be 
regular as well, provided that R is left-linear, because R'{E) = R*(E)nIRR{R) 
and the set of irreducible ground terms IRR{R) is regular in this case. The 
following array shows that R; (E) is not regular. 



Unsatisfied Restriction 


Rewrite System 


E 


R!(E) 


Linearity in rhs’s 


f(x) c(x,x) 


Uit)} 


{c(t,t)} 


Function calls in rhs’s 
are shallow subterms 


f(s(x),y) s(f(x,s(y))) 


/(s*(0),0) 


s"(/(0,s"(0))) 


No nested function 
symbols in rhs’s 


f(s(x),y) s(f(x,g(y))) 

g(x) s(x) 


/(s*(0),0) 


s"(/(0,s"(0))) 


E = {t0} 


fis(x)) s(f(x)) 


(fsno) 


s"(/"(0)) 



The construction of the automaton is presented in Section 3. It is necessary to 
nest automata, as defined in Subsection 2.2. Applications to reachability through 
rewrite steps, unification, program testing, sufiScient completeness are outlined 
in Section 4. 

2 Preliminaries 

2.1 Term rewriting and finite tree automata 

Surveys can be found in [6] about term rewriting, emd in [2,8] about tree au- 
tomata. 

Let C7 be a finite set of constructors and F be a finite set of defined function 
symbols (Junctions in a shortened form). For c € C7 U F, or(c) is the arity of c. 
Terms are denoted by letters f , u. A data-term is a ground term (i.e. without 
variables) that contains only constructors. T(C) is the set of data-terms. For 
a term t, Var(t) is the set of variables appearing in f, Pos(t) is the set of 
positions of t, Pos(t) is the set of non-variable positions of t, PosF(t) is the set 
of function positions of t. t is linear if eeich v^l^iable of t appears only once in 
t. For p G Pos(t), t\p is the subterm of t at position p, t(p) is the top symbol of 
t\p, and t[t']p denotes the subterm replacement. For positions p,p', p > p' means 
that p is located below p', i.e. p = p'.v for some position v, whereas p||p' means 
that p and p' are incomparable, i.e. ->(p > p') A ->(p' > p). The term t contains 

^ It can be weakened into a more technical restriction, which allows non-shallow func- 
tion CcJls : for each rewrite rule / — > r and e2ich function symbol position p in r, if rjp 
unifies with a left-hand-side /' (after variable rencuning to avoid conflicts), then the 
mgu (7 does not instantiate the variables of I', or only into ground subterms of r. 
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nested functions if there exist p,p' 6 Pos{t) s.t. t{p) G F, t(p') G F, and p > p'. 
The domciin dom{9) of a substitution 6 is the set of variables x s.t. x0 ^ x. 

A rewrite rule is an oriented pair of terms, written I r. We always assume 
that Var{r) C Var{l)^. A rewrite system /? is a finite set of rewrite rules. Ihs 
stands for left-hand-side, rhs for right-hand-side. R is constructor-based if every 
Ihs / of il is of the form I = f(ti,...,tn) where f E F and do not 

contain any fun ction s. The rewrite relation is defined as follows : t f if 
there exist p G Pos{t), a rule I r £ R, and a substitution 0 s.t. = 10 and 
t' = t\r0\p. denotes the transitive closure of -*^r. t' is a descendant of t if 
t t' . t' is a normal-form of f if f t' and t' is irreducible. If F is a set of 
ground terms, R*(E) denotes the set of descendants of elements of E, and R'{E) 
denotes the set of normal-forms. IRR{R) denotes the set of irreducible ground 
terms. Thus R!'{E) = R*{E) n IRR{R). R is weakly normalizing if every term 
has at least one normal-form. 

A (bottom-up) finite tree automaton is a quadruple A = (C U F,Q,Qf, A) 
where Qf CQ and zi is a set of transitions of the form c{qi g„) q where 
c G C U F and gi , . . . , g„, g G Q, or of the form qi q. Sets of states are denoted 
by letters Q, S, D, and states by q, s, d. (also denoted ->J^) is the rewrite 
relation induced by A. A ground term t is recognized by A into g if f q. L(A) 
is the set of terms recognized by A into any states of Qf. The states of Qf are 
called final states. A is deterministic if whenever t q cuid t g' we have 
q = q'. A Q -substitution cr is a substitution s.t. Vx G dom{a), xa G Q. 

2.2 Nesting automata 

Definition 1. The automaton A = (CUF,Q,Qf,A) discriminates the position 
p into the state q if L{A) 0 and for each t G L{A), we have p G Pos{t) and 

- t\p is recognized into q (and only into q), 

- for each p' G Pos{t) s.t. p' ^ p, t|p- is not recognized into q. 

In this case we define the automaton A]p = {C U F, Q, {g}, zi). 

Remark : L{A\p) = {t\p | t G L(A)}. 

Definition 2. Let A = {C U F,Q,Qf,A) be an automaton that discriminates 
the position p into the state q, and let A' = {C O F, Q', Q'^, A') s.t. Q HQ' — 
We define A[A'\p = 

(CUF, Q'JQ', Qf, A\{c{qi,...,q„) -> g | c G (7 U F, gi, . . . ,g„ G Q} 

UZi' U {q'f -> g I g)r G Q'f}) 

Lemma 1. L{A[A']p) = | t G L{A), t' G L{A')}. 

Proof. Let t G L{A) and t' G L{A'). 

There exists g^ G Q'f s.t. t[t']p t[g^]p t[g]p. Since A discriminates 

p into g, there exists qf E Qf s.t. t t[q]p g/ and within t[q\p g/ 
® Left-hand-sides are allowed to be variables. 
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no transition whose rhs is q is used. Therefore 9 /) i-C- t[t']p G 

L(A[A']p). 

Conversely, let t e L{A[A']p). Since the set of final states of A[A']p is Qf, nec- 
essarily t t[g]p. . . . [g]p; q/ where q'f,, ■ ■ ■ G 

Q'f and q/ E Qf. Since A discriminates p into q, necessarily n = 1 and p[ = p. 
Therefore t *[?]? ~**a 9/> Ap ~^’a‘ 9/i> i ®- Ap ^ ^{A!). Since 

we assume L{A) ^ 0, let u e L(A). Then «|p q. Thus t[u|p]p f[ 9 ]p 
qf, i.e. t[u|p]p G L{A). 

As seen in the above proof, the states of Q' concern only the positions located 
below p. Therefore ; 

Corollary 1 . If L{A) ^ 0 and A discriminates another position p' s.t. p' p, 
into the state qf , then «4[.A']p still discriminates p' into q' . 



3 An automaton that recognizes R*{E) 



Definition 3. We define the automaton Adata that recognizes the set of data- 
terms T(C) : 

Adata — {Qj Q data iQ data/ 1 ^data) where Qdata — Qdata/ ~ {9dato} Wnd ^data ~ 
{c(^(f(ita, . • * , qdata') ^ Qdata \ ^ G Q'). 

Given a linear term t, we define the automaton Ate that recognizes the data- 



instances of t : Ate = (C U F, Qte,Qte, , ^te) where 

Qte = {?'’ I P G Pos{t)} U {qdata} 

Qtej = {?*} (Qdata ift is a variable) 

I Qdata if Ap.i is a variable \ 



^te 






<(p)(si,...,s„) 

U^dota 



gP I p G Pos(t), Si = 



qP ' otherwise 



I 



Note that Ate discriminates e£ich position p G Pos{t) into q^. On the other hand. 
Ate is not deterministic^ as soon as there is p G Pos{t) s.t. t|p is a constructor- 
term. Indeed for any data-instance t\pO, t\p0 “^[* 4 ,,] q”' and Ap6 “+[ 4 ,,] Qdata- 

Example 1. Let a,s be constructors and / be a function, s.t. a is a constant 
and s, f axe uneiry symbols. Consider the term t = f{s{s{y))) as well as the 
automaton Ate that recognizes the language E = /(s(s(s*(a)))) of the data- 

instances of t. Ate can be summarized by writing f (s ( s (s*(a)))), which 
means that s*(a) qdata, s(s*(o)) 9^'^’ s(s(s*(a))) q\ 

f(s(s(s*(a)))) ~^iA,g] 9‘- Consider now the rewrite system R = {/(s(x)) -¥ 
s(/(^))}- Obviously R*(E) = E U s(f(s(s*(a)))) U s(s(s* (f(s* (a))))). 

When rewriting E, some instances of rhs’s of rewrite rules are introduced by 
rewrite steps. So, to build an automaton that can recognize R*{E), we need to 



* A direct construction of a deterministic automaton is given in [3]. However, it does 
not distinguish the positions of Pos{t). 
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recognize the instances of rhs’s into some states, without making any confusion 
between the various potential instances of the same rhs. Indeed consider the first 
two rewrite steps issued from E : 



/(s(s(s*(a)))) ->[x/<,(,.(a))] = s(/(s(s*(a)))) ^[x/»*(a)] s(s(/(s*(a)))) 



The language that instantiates x along the first step is s(s*(a)) (recognized into 
whereas it is s*(a) (recognized into qdata) along the second step. Therefore 



we encode two versions of the rhs : s 
adding the states d‘i.i , dji.i , dj 



Qdat€ 



( / ( X )) and ’ 1 s‘° 
cind the trcinsitions 



^ ^dato 



(’"“)), by 






dji.i, 3(dJ,.i) d'l.i, 



Thus the language recognized into d^i 



f (qdata) -*■ s(djj^,^) -*■ 

(resp. d'j„,„) is exactly the rhs instan- 



- 1.1 Qdata Qdata 

tiated by s (s*(a)) (resp. s*(a)). In other words £' = s{f(s(a*{a)))) ->* d^i., 
(resp. s(f(s*{a))) ->* More generally we encode a version of the rhs for 

each state of Qta. 



Now we can simulate rewrite steps on languages, by adding transitions agaun. 
This step is called saturation in the following. For example, consider agaun the 
first rewrite step issued from E : 



4 * 

/ 






Cs (s*(a)))) ->rx/,(..(«))) = s(f(s(s%a)))) 



Since f(s(x)) is the rule Ihs, and f(s(q^-^)) -> 4 ,, we add the transition 
d‘i.x -t q‘. Thus C = s(f(s(s*(a)))) -¥* d^i.i -t which is the final state. So 
C is recognized by the automaton. More generally, whenever f(s(q)) ->* q' for 
q € Qte, we add d‘ -> q'. 



In the previous example, the matches used in rewrite steps always instantiate 
the variable by languages recognized into states of Ate, i e. the instances axe 
(sub)terms of E. This is not the case in the following example. 



Example 2. Let E be the data-instances of t = f(z) and 

R = {f(x) ^ g{s(a)), g(y) ^ s(y)}. The rewrite steps issued from E are 

Q*^ Qdata 

f (s*(a)) ->[n] 9(s(a)) ->[r2,»/*(o)] s(g(a)). Unfortunately Qte = {q^, qdata} and 
the language recognized into q^ (resp. qdata) is /(s*(o)) (resp. s*(a)). Thus we 
do not have any states that can exactly recognize the instance of the second 
rewrite step {s(o)}. This comes from the fact that s(a) does not come from E, 
but from the rhs of r\. Therefore we need to encode s(o) by additional states. 

In rhs’s, function calls Eire assumed to be shadlow subterms, Eind nested func- 
tions are not allowed. Therefore (see Lemma 5) the matches used in rewrite 
steps instantiate variables by either subterms of E, or (sub)-arguments of func- 
tion calls in rhs’s (which are datarterms). So, adding to Ate states Euid transitions 
to encode all the function call arguments is enough. 
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Definition 4. The non-variable arguments of functions in rhs’s are encoded by 
the set of states Qarg the set of transitions Aarg as defined below : 

Qarg = {g’’" I /i -> Tj G p G Arg(ri)} 

Aarg = {ri{p){q^'^ \ . - • I e Qarg) 

where Arg{ri) are the non-variable argument positions inri, i.e. 

Arg{ri) = {p G Pm{ri) [ 3pfct G PosF{ri), p > pfct} 

Actually, for each state of Q' = Qte U Qarg, we have to encode a version 
of each rhs. In general, unlike the previous examples, rhs’s may contain several 
variables. This is why we use states of the form dj where <r is a Q'-substitution, 
instead of d^ where g is a single state of Q\ to encode rhs’s. Note that function 
Mguments in rhs’s are not encoded by new states in the following definition, but 
by those of Qarg- 



Definition 5. The rhs’s of rewrite rules are encoded by the sets of states Qarg 
and 

D = I li-^ri&R, pe Pos{ri)\Arg{ri), 

a is a Q' -substitution s.t. dom{a) = yar(ri|p)} 



and the set of transitions 

^d = {ri(p)(4’r.- 



d*’*’ 

“<riU...U<T„ 



li — t Tj G R, 

p G Pos{ri)\Arg{ri), r<(p) G C 

Vj, CTj is any Q' -substitution s.t. dom{(Xj) = Vor(r<|p j)} 

u {ri(p)(A-i, . . . , x„) -> cf/ 1 ii^neR,pe PosF{n), 

a is any Q' -substitution s.t. dom{a) = V^or(rj|p) 

, w. rr \ u[p-j) is any variable x 

where vj, Xj = ' 



U {x<7 4’* I li 



€ Q, 



arg 



otherwise 



} 



Ti £ R, ri is any variable x, 

<T is any Q' -substitution s.t. dom{cr) = {x}} 



Thus, the ground term t is recognized into the state iff t = riO. 

Let us explain now what happens when adding the trainsitions that simulate 
rewrite steps, if some Ihs’s are not linear. 



Example 3. Let B be the data-instances of t = f{s{x),y) «md R — {/(x,x) ^ 

Q Qdata Qdata 

x}. Thus E =f {s {s*{a)),s*{a}). Obviously R*{E) = EU {s(s*(a))}. If we 
try to add transitions to simulate rewrite steps as in Example 1, we have to 
look for the states g G Qte s.t. f{q,q) -> 4 ,, g'- Unfortunately, no state of 
Qte = {g%g\gdoto} works. 

Even so, the terms in the non-regular subset of E: f{s (s"(o)), cire 
reducible. However they instantiate the left x of the Ihs by gi and the right x by 
qdata, i e. by two different states. So s"''‘*(o) g^ and s”"'‘^(o) qdata- 

In other words Ate is not deterministic. If it were, the common instances (o) 
of the two occurrences of x would be recognized into the same state, so it would 
work. 
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In this example Qarg = 0- If it is not, we have to start from the automaton 
{C U F, QtB U Qarg, { 9 ‘}i U Aarg), which is not necessarily deterministic even 

if Ate is. Therefore this automaton must be determinized before starting. 

In £ill previous examples, t contained only one function. If there are several 
ones, and in particular, nested ones, we consider each function on its own and 
work increment£illy. 

Example 4- Let E be the data-instances of t = f(g{z)) and 

R = {/(i) ^ X, g{x) ^ s{h{x)), h{s{x)) ^ x} 

Then 

fi9(3*ia))) S(s*(a)) s(/i(s*(o))) s(s*(a)) 

This derivation can be commutated so that the innermost function g is first 
reduced, as well as the rhs’s coming from the reduction of g : 

fig{3*(a))) ^[r,] fis(h(a*(a)))) ->[^ 3 ] /(s(«*(o))) "^[n] s(s*(a)) 

Thanks to right-linecirity, commuting rewrite derivations leaves the final term 
unchanged. Thus, we can write (roughly) R*{E) = 

If t is for example t = /(/(x)), we must not make any confusion between both 
occurrences of / in t. This is the goal of the following definitions. 

Definition 6. t t' means that t' is obtained by reducing t at position 

p, plus possibly at positions coming from the rhs ’s. 

Formally, there exist some intermediate terms ti,. . . ,t„ and some sets of posi- 
tions P{t), P{ti), , P{t„) s.t. 

t = to ~^(po,Jo-*ro] ^1 ... In I 

where 

- Po=p and P{t) = {p}, 

- Vj, pj e P{tj), 

- Vj, P(tj+i) = P(tj)\{p' I p' > Pj} u {Pj.w I w G PosF{rj)}. 

Remark : P{tj) only contains function positions. Since there cire no nested 
functions in rhs’s, p,p' G P{tj) implies p||p'. 

Definition 7. Given a language E and a position p, let 
R;(P) = PU{f'| 3<GP,t 

Example 5. Consider again Example 4. Then 
Pi*(/(p(«*(a)))) = f{g{s-ia))) U /(s(h(3*(a)))) U /(s(s*(o))). 

Lemma 2. Let E be the set of data-instances of a linear term t, and {pi , . . . , Pn} 
be the function positions oft sorted in an innermost way (i.e. i < j => pj ^ p,). 
Then 

r^{e) = r;^...{r;^{e))...) 
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Proof. Obviously (. . . {R;^ {£)) . . .) C R^(E). 

Conversely, since R is right-linear, each rewrite derivation t —¥* t' can be 
commuted into t t' s.t. i < j p'j p\ (see [12, page 74]). 

Rewrite steps at incomparable positions can also be commuted. Therefore we 
can get a derivation of the form 

where ti *i+i means U+i = U or U U+i. 

Prom £m automaton A, we are now able to define an automaton that recog- 
nizes Rp{L{A)). 

Notation : Adet denotes the automaton obtciined by determinizing A. 

Definition 8. Let A = {C U F,Q,Qf,A) be an automaton that discriminates 
the position p into the state q, and s.t. QC\ Qarg = 0- IPe define : 

A' = {CU F, Q', Q'f, A') = (CUF,QU Qarg, {q}, A U Aarg)det 
A" = {CUF,Q",Q'},A") 

= {CUF,Q'UDU{s}, {s}, A'UAdU{q'f^s\q'fe Q>}) 

Roughly speaking. A" is A' to which the encoding of rhs’s has been added. In 
general A" is not deterministic although A' is (for example if two rhs’s are iden- 
tical). Determinizing A' is useless if every rewrite rule is left-linear. Note that 
L{A') = L{A\p) and A\p discriminates the position e into q. However, due to the 
determinization. A' does not necessarily distinguish e. This is why am additional 
state s has been added into A". Thus, L(A") = L{A') = L{A\p) and A" discrim- 
inates the position e into s. This property is necessary in the saturation process 
defined below, to ensure that the first rewrite step is performed at position e on 
the terms recognized by A", i.e. at position p on the terms recognized by A. 

Definition 9. (saturation^ 

Let B be the automaton obtained from A" by adding transitions in the following 
way: whenever there are It rt & R, a Q' -substitution cr s.t. dom{a) = Var{li) 
and La q where q G {s) U D, add the transition (T’f q. 

q may be in D in order to simulate the rewrite steps issued from the rhs’s com- 
ing from previous rewrite steps. The saturation process necessarily terminates 
because it does not add any new states, and the number of transition rules is 
bounded in a finite automaton. 

Lemma 3. L{B) = iZ*(L(^|p)). 

Proof. See Subsection 3.1. 

Now, the main result is a straightforward consequence of lemmas 3 and 1. 
Corollary 2. L{A[B]p) = R;{L(A)). 

Remark : From Corollary 1 A[B]p preserves the discrimination of every position 
jf '^p. Thus the construction of B from A can be used incrementally to compute 
R*{E) = R*^ (. . . (R*j (E)) . . .) as mentioned in Lemma 2. 
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Lemma 4. In the worst case, the number of states of the final automaton that 
recognizes R*{E) = R*^ (. . . (Jipj (£J)) . . .) is a tower of exponentials of height n, 
in the number of positions of t. 

Proof. For simplicity, let us suppose that card{Qarg) = 0. Thus 

'y ] card{Var{n)).card[Q') < card{D) < ^ |ri|.co7'(l(V’or(ri)).card(Q') 

where jr^j = card{Poa{ri)). Therefore for a given rewrite system, card{D) is 
of the same order as card{Q'), i.e. because of the determinization. So 

card{QB) = card{Q") = card{Q')+card{D)-\- \ is of the same order as card{Q'), 
i.e. 

The result comes from the fact that building B from A is performed n times 
incrementally. 



3.1 Proof of lemma 3 

This proof breaks down into some lemmas. 

We first need some properties about the matches used 2 ilong a rewrite deriva- 
tion. 

Lemma 5. Let .4 = (C U F,Q ,Q/,A) be an automaton s.t. Q n Qarg = 0- 
For all t e L{A) and p € Pos(t), if t = to 

* 1+1 within the derivation we have 

Vx e Var{U), X9i 9 G <3 U Qarg 

Proof By induction on the length of the derivation. 

If n = 1, Vx € Var(lo), xOq = tj„ for some v G Pos{t). Therefore x9o 
q & Q. 

Induction step. We know that p„ G P{tn)- Then there exists j <n s.t. p„ = 
Pj.w, w G PosFixj), and rj\w = /(«i, • • • ,u*). Therefore for each x G V’ar(/„) : 

- x9„ = uj|„ where ui is a non-variable function argument. Then, by construc- 
tion of Aarg, x9„ Q G Qarg- 

- Or x9n = {y6j)\v where y G Var{rj). By induction hypothesis, y9j 

g e Q U Qarg- Therefore x0„ 9 G Q U Qarg- 

Reczdl that L{A\p) = L{A')- To prove completeness, i.e. L{B) D R*{L{A')), 
we have to prove a more precise property, to be able to make the induction step. 

Lemma 6. Let t G L{A!) and assume t lorite P(t') = 

{Pu---,Pk}- 

Then 'ip G P{t'), t'\p qp G {s} U D ond t'[gp,]p, . . . [gpjp* s. 

Proof. By induction on the length of the derivation. Consider the last step 
in ->[»,/->r,e] From lemma 5, x9 g G Q U Qarg- Thus, after de- 

terminizing, there exists one ^md only one s* 6 Q' s.t. x9 -4^, Sx- 
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Now V G P{tn)- By induction hypothesis W = ->^/i € {s} U D. Let a 

be the Q'-substitution defined by dom(a) = Var{l) and Vx G Var{l), xa = Sx- 
Then la G {s} U D. From the construction of B, 9n G ^8- 

Let p' G P{f). 

- If p' = v.w then t'\p> = (r0))„ (rcr)|^ e D. 

- Otherwise p'||u. Then t'\p> = t„|p/ and p' G P(t„). By induction hypothesis 
*n|p' q' G {s} U D. 

Assume that pi,. .. ,Pk are sorted s.t. pi,...,Pj >v and pj+i . ,p*|lu. Thus 

■ • • [<^“']pi -^A" t'[(^a]v ->•8 <'[9n]v = *n[gn]t, 

^'[9j+i]pj+i ■ • ■ [9fc]p(i ~ ^nfe-fl]pj + i • ■ • [9fc]p* 

Therefore, from the induction hypothesis 

f'[d^‘]pi . . . [da’\pj [9j-t-l]p,+i • • • [9fc]p)i = ^n[9n]t)[9j-|-l]pi+i • • • [9*]pj, s 

To prove correctness, i.e. 1(B) C R*(L(A')), we also have to prove a more 
precise property. We first need an additional definition. 

Definition 10. Let A^at he the transitions added by the saturation process (so 
= Aaat U A"). For t G L(B), let ||f|( = Min({lengthgat(t ->b s)}) where 
lengthaatit ~^b ®) ^he number of steps using a transition of Agat- 

The derivation t s is said minimal if length iat(l ~^b = 11*11- 

The proof of the following lemma shows that ||t|| is the length of the shortest 
rewrite derivation that can reach t from a term of L(.4'). 

Lemma 7. If t s is minimal, 

then there exists u G L(A') s.t. u — intermediate term 
C[q\p in this minimal derivation (thus t C\q]p ->b s) s.t. t(j>) is a function 
and q G {s} U D, we have p G P(t). 

Proof By induction on l|t||. 

K ||t|| = 0, then no minimad derivation t -^* q/ s (qj G Q'j) contains any 
steps in A^at, or in A"\A'. Therefore t G L(A!). If t C[s]p then p = e and 
P(t) = {e}. 

Induction step. Consider a minimal derivation 

t *1 “^[p,di.-‘->9e4„,] *2 -^B » 

Since t 2 s is minimal, then |lf 2 || = lengthgat{t 2 s) < |lt||. But t 2 
contains some states. By construction of Agat, * 2 [*tO’]p * 2 [ 9 ]p = *2 and 

Vx G Var(li), xa G Q'. FVom rhs encoding, Vx G Var(ri), x9 xa. Besides, 
for each x G Var(li)\Var(ri) we choose a re£w:hable state for xcr. Thus we can 
extend 6 s.t. x0 xa. Consequently t2[li9]p t 2 s emd it is minimal. 
Thus ||t 2 [It^]p|| < 11*11 and it does not contain any states. By induction hypothe- 
sis there exists u G L(A') s.t. u rha’a] * 2 [*»^]p for each intermediate term 
C[q']p' in this minimed derivation (thus t C[q']p’ s) s.t. t2[li9]p(p) is a 
function and q' G {s} U D, we have p' G P(t2[li9]p). 
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Now q 6 {s} U D because q E A,at and t2[li0]p{p) = (/»^)(e) is a 

function. So p e P(t 2 [^t^]p)- Therefore u t 2 [ri^]p = t, and for each 

intermediate term C[q']p’ in the minimal derivation t ->* s s.t. t{p') is a 

function and q' G {s} U D : 

- if p' p, then t(p') = t 2 [/i^]p(p'). so P' ^ -P(t). 

- Otherwise since t2[h9]p -> t and from the definition of P, we get p' € P{t). 



4 Applications 

4.1 Reachability 

Reachability between ground terms is obviously decidable since h ->* t 2 is 
equivalent to E R*({ti}). 



4.2 Unification of linear equations 

We assume that R is confluent. Thus the equation t = t' admits a solution cr 
iff ta and t'a rewrite into the same term, i.e. R*{L{Ate)) 0 R*{L{At’e)) ^ 0 
provided Var{t) n Vor(t') = 0 and t,t' are linear. 

This extends the result of [10, 11] established thanks to TTSG’s (Tree Tuple 
Synchronized Grammars), since left-linearity is not required any more. On the 
other hand, TTSG’s can express unifiers, and they allow to weaken the linearity 
of the equation to be solved, as we are going to show in some further work. 



4.3 Program testing 

Let us see term rewrite systems as functional progreuns. The informal method 
to test a program usually consists in checking that for finitely mamy (and well 
chosen) data, the result is just the expected one. We suggest to do the same 
starting from an infinite language of data E, by providing an automaton that 
recognizes the language of expected results, emd checking that it is equivalent to 
the automaton that recognizes = R*{E) n T{C). 

Example 6. Consider the identity functions Id, 2 , (resp. Id^) defined only for even 
natural integers (resp. integers multiple of three). 

R = { Id2{s{s{x))) -> s{s{Id2{x))), Id2{0) -> 0 , 

Id 3 (s(s(s(x)))) s(s(s(Id 3 (x)))), Id3(0) 0} 

Let E be the set of data-instances of Id 2 {Id 3 {x)). An automaton Ar that rec- 
ognizes the expected results, i.e. the multiples of 6, can be easily built by the 
programmer. Then testing the program may consist in checking that R‘*“‘“(E) = 
L(Ar). 




Regular Sets of Descendants for Constructor-based Rewrite Systems 159 



4.4 Sufficient completeness 

R is sufficiently complete if every ground term rewrites into a data-term. 

If is left-linear, a finite automaton that recognizes the set of reducible 
ground terms can be easily built, since reducible ground terms are the instances 
of the Ihs’s, nested in any context. By complementation we get 2 in automaton 
that recognizes IRR{R). Thus if in addition R is weakly normalizing, sufficient 
completeness is decidable thanks to the following lemma. 

Lemma 8. Assume that R is weakly normalizing. Then 
R is sufficiently complete iff I RR{R) C T{C). 

Proof. ^ is obvious. 

Each term t admits a normal-form tfe T{C). 

When R is not sufficiently complete, it might be interesting to check that the 
functions that are supposed to be completely defined, eire indeed. 

Notation: For each function /, let Ef = {fih, . . . ,tn) \ ti,...,f„ € T’(C')}- 
Ef contains the data-insteinces of /(ii, - . - ,x„). 

Lemma 9. [7] Assume that R is weakly normalizing. If R}{Ej) C T{C), then 
f is completely defined. 

Proof. Vti, . . . ,tn G T'(C'), f{t\,...,tn)-¥*f{ti,...,tn)i^T{C). 

5 Conclusion 

We think that this work could be used in practice, because the final automaton 
often includes much fewer states than mentioned in Lemma 4. Indeed, deter- 
minization is useless whenever we reduce a function / s.t. every rewrite derivation 
issued from / uses only left-linear rules, which can be easily checked. Moreover 
if the encoding of rhs’s is performed only when needed, we get a set of states 
much smaller than D in most cases. 

The assumed restrictions about rhs’s are not realistic from a programming 
point of view. We however hope that this work could give rise to approximations 
dealing with any rhs’s, more precise than that of [7]. 

Another way to weaken the restrictions might consist in using more sophis- 
ticated tree languages, at the expense of more complicated algorithms. 
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Abstract. Description Logics (DLs) are a family of knowledge represen- 
tation formetlisms mainly characterised by constructors to build complex 
concepts and roles from atomic ones. Expressive role constructors are 
important in many applications, but can be computationally problemat- 
ical. We present an algorithm that decides satisfiability of the DL AC.C 
extended with transitive and inverse roles, role hierEu-chies, emd qualify- 
ing number restrictions. Early experiments indicate that this algorithm 
is well-suited for implementation. Additionally, we show that ex- 
tended with just transitive and inverse roles is still in PSpace. Finally, 
we investigate the limits of decidability for this family of DLs. 



1 Motivation 

Description Logics (DLs) are a well-known family of knowledge representation 
formalisms [DLNS96]. They are based on the notion of concepts (unary pred- 
icates, classes) and roles (binary relations), and are mainly characterised by 
constructors that allow complex concepts Eind roles to be built from atomic 
ones. Sound and complete algorithms for the interesting inference problems such 
as subsumption and satisfiability of concepts are known for a wide variety of 
DLs [SS91; DLNdN91; Sat96; DL96; CDL99]. 

To be used in a specific application, the expressivity of the DL must be 
sufficient to describe relevant properties of objects in the application domain. 
For example, transitive roles (e.g. “ancestor”) amd inverse roles (e.g. “succes- 
sor” /“predecessor”) play an important role not only in the adequate representa- 
tion of complex, aggregated objects [HS99], but eJso for reasoning with concep- 
tual data models [CLN94]. Moreover, reasoning with respect to cyclic definitions 
is crucial for applying DLs to reasoning with database schemata [CDL98a]. 

The relevant inference problems for (extensions of) DLs that allow for tran- 
sitive and inverse roles are known to be decidable [DL96], and appropriate in- 
ference algorithms have been described [DM98], but their high degree of non- 
determinism appears to prohibit their use in readistic applications. This is mainly 
due to the fact that these algorithms can haindle not just transitive roles but also 

* Part of this work was carried out while being a guest at IRST, Trento. 

* This work was supported by the Esprit Project 22469 - DWQ and the DFG, Project 
No. GR 1324/3-1. 
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the transitive closure of roles. It has been shown [Sat96] that restricting a DL 
to transitive roles can lead to a lower complexity, and that transitive roles (even 
when combined with role hierarchies) allow for algorithms that behave quite well 
in recJistic applications [Hor98]. However, it remained to show that this is still 
true when inverse roles and qualifying number restrictions eire also present. 

This paper extends our understanding of these issues in several directions. 
Firstly, we present am algorithm that decides satisfiability of ACC [SS9l] (which 
can be seen as a notational variant of the multi modal logic Km) extended with 
transitive and inverse roles, role hierarchies, and qualifying number restrictions, 
i.e., concepts of the form (^ 3 hasChild Female) that cdlow the description 
of objects by restricting the number of objects of a given type they aure related 
to via a certain role. The algorithm can also be used for checking satisfiability 
and subsumption with respect to general concept inclusion axioms (and thus 
cyclic definitions) because these axioms can be “internalised”. The absence of 
transitive closure leads to a lower degree of non-determinism, emd experiments 
indicate that the algorithm is well-suited for implementation. 

Secondly, we show that ACC extended with both transitive and inverse roles 
is still in PSPACE. The algorithm used to prove this rather surprising result 
introduces an enhanced blocking technique. In general, blocking is used to ensure 
termination of the algorithm in cases where it would otherwise be stuck in a 
loop. The enhanced blocking technique allows such cases to be detected earlier 
and should provide useful efficiency gains in implementations of this and more 
expressive DLs. 

Finally, we investigate the limits of decidability for this family of DLs, show- 
ing that relaxing the constraints plaiced on the kinds of roles allowed in number 
restrictions leads to the undecidability of all inference problems. 

Due to a lack of space we can only present selected proofs. For full details 
please refer to [HST98; HST99]. 

2 Preliminaries 

In this section, we present the syntax and semantics of the various DLs that 
are investigated in subsequent sections. This includes the definition of inference 
problems (concept subsumption and satisfiability, and both of these problems 
with respect to terminologies) and how they are interrelated. 

The logics we will discuss are all based on am extension of the well known 
DL ACC [SS9l] to include tr£uisitively closed primitive roles [Sat96]; we will 
call this logic S due to its relationship with the proposition (multi) moded logic 
S4(m) [Sch9l].^ This basic DL is then extended in a variety of ways — see Figure 1 
for an overview. 

Definition 1. Let C be a set of concept neunes and R a set of role names with 
transitive role names R+ C R. The set of SX -roles is RU {R~ \ R e R}. The 

* The logic S has previously been called ACCn+, but this becomes too cumbersome 
when adding letters to represent additional features. 
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set of SI -concepts is the smallest set such that every concept name is a concept, 
and, if C and D are concepts and R is anSX-role, then {Cf\D), {CUD), {-'C), 
{'iR.C), and {3R.C) are also concepts. 

To avoid considering roles such as R , we define a function Inv on roles 
such that Inv(iZ) = R~ if R is a role name, and lnv(i?) — S if R = S~ . We 
also define a function Trans which returns true iff R is a transitive role. More 
precisely, Trans(i?) = true iff RE R+ or lnv(i?) G R+. 

SRI is obtained from SI by allowing, additionally, for a set of role inclusion 
axioms of the form R Q S, where R and S are two roles, each of which can be 
inverse. For a set of role inclusion axioms TZ, 

n+ := (7^U {lnv(i?) C lnv(5) | R C 5 G 7^}, 2 ) 

ts called a role hierarchy, where G is the transitive-reflexive closure of C over 
n U {Inv(R) C lnv(5) 1 i? C 5 G 7^} . 

SRIQ is obtained from SRI by allowing, additionally, for qualifying number 
restrictions, i.e., for concepts of the form {'^ n RC) and {^n R C), where R is 
a simple (possibly inverse) role and n is a non-negative integer. A role is called 
simple iff it is neither transitive nor has transitive sub-roles. 

SRIAf is the restriction of SRIQ where qualifying number restrictions may 
only be of the form n i? T) and {^n RT). In this case, we omit the symbol 
T and write {'^n R) and {^n R) instead. 

An interpretation I = {A^, -^) consists of a set Aff , called the domain of I, 
and a valuation which maps every concept to a subset of and every role 
to a subset of A^ x A^ such that, for all concepts C, D, roles R, S, and non- 
negative integers n, the properties in Figure 1 are satisfied, where j}M denotes 
the cardinality of a set M. An interpretation satisfies a role hierarchy iff 
R-^ C 5^ for each il □ 5 G TV'; we denote this fact by I ^ TV and say that I 
is a model ofTV. 

A concept C is called satisfiable with respect to a role hierarchy TZ^ iff there 
is some interpretation I such that I [= TZ'*' and ^ <l). Such an interpretation 
is called a model of C w.r.t. TZ^. A concept D subsumes a concept C w.r.t. 
TZ^ (written C D) iff C holds for each model I of TZ~^ . For an 

interpretation I, an individual x G A?- is called an instance of a concept C iff 
X G C^. 

All DLs considered here zu:e closed under negation, hence subsumption and 
(un)satisfiability w.r.t. role hierarchies can be reduced to each other: C C 71 + 
D iff C n -i£) is unsatisfiable w.r.t. TZ~^, and C is unsatisfiable w.r.t. TZ'^ iff 
C a n -<A for some concept name A. 

In [Bcia91; Sch91; BBN'*'93], the internalisation of terminological axioms is 
introduced, a technique that reduces reasoning with respect to a (possibly cyclic) 
terminology to satisfiability of concepts. In [Hor98], we saw how role hierarchies 
can be used for this reduction. In the presence of inverse roles, this reduction 
must be slightly modified. 
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Construct NEone 


Syntax 


Semantics 




atomic concept 
universal concept 
atomic role 
transitive role 
conjunction 
disjunction 
negation 
exists restriction 
value restriction 


A 

T 

R 

R G R-4- 
CnD 
CUD 

-.c 

3R.C 

'iR.C 


A^ C 
T^ = A^ 

R^ CA^ X A^ 

R^ = {R^)+ 
c^nD^ 

C^UD^ 

A^\C^ 

{x 1 3y.{x,y) e R^ and y 6 C^} 
{x 1 Vy.(x,j/> 6 R^ implies y € C^} 


S 


role hierarchy 


RQS 




n 


inverse role 


R- 


{(*.!/> 1 e 


X 


number 

restrictions 


^nR 

^nR 


{x 1 |t{y.(x,y> g R^} ^ n} 
{x 1 |i{y.(x,y) 6 R^} ^ n} 


M 


qualifying 

number 

restrictions 


'^nR.C 

^nR.C 


{x 1 #{»•(*, y> e R^ wady e C^} ^ n} 
{x 1 il{y.<x, y) eR^ wady £ C^j ^ n) 


Q 



Fig. 1, Syntax and semantics of the SX family of DLs 



Definition 2. A terminology T is a finite set of general concept inclusion 
axioms, T = {C\ C Di,... ,C„ C D„}, where Ci,Di are arbitrary STiXQ- 
concepts. An interpretation X is said to be a model of T iffCfC Df holds for 
all Ci Q D{ ^ T. C is satisfiable with respect to T iff there is a model X of T 
with 7 ^ 0. Finally, D subsumes C with respect to T iff for each model X of 
T we have C D^. 

The following Lemma shows how general concept inclusion axioms can be 
internalised using a “universal” role U, that is, a transitive super-role of all roles 
occurring in T and their respective inverses. 

Lemma 1. Let T be a terminology, Ti a set of role inclusion axioms and C,D 
S'HXQ-concepts and let 



Ct-= 



n 

CiCDi^r 



-iCi U Df. 



Let U be a transitive role that does not occur in T, C, D, or TL. We set 

TZu •= {RQU, lnv(i?) C t/ | i? occurs in T, C, D, or Tl). 

Then C is satisfiable w.r.t. T and TZ^ iff CnC-rn'^U.Cj- is satisfiable w.r.t. TZ^. 
Moreover, D subsumes C with respect to T and TZ^ iffCn ->D ri Cr n 'iU.Cr 
is unsatisfiable w.r.t. TZ^. 

The proof of Lemma 1 is similar to the ones that can be found in [Sch91; 
Baa9l]. Most importantly, it must be shown that, (a) if a STLXQ-cancepi C is 
satisfiable with respect to a terminology T and a role hierarchy 72.+ , then C, T 
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have a connected model, and (b) if y is reachable from x via a role path (possibly 
involving inverse roles), then (x,j/) 6 U^. These are easy consequences of the 
semantics and the definition of U. 

Theorem 1. Satisfiability and subsumption of SHXQ-concepts (resp. SUX-con- 
cepts) w.r.t. terminologies and role hierarchies are polynomially reducible to 
(un) satisfiability of SHIQ-concepts (resp. S7H- concepts) w.r.t. role hierarchies. 

3 Reasoning for SX Logics 

In this section, we present two tableaux algorithms: the first decides satisfia- 
bility of .SHIQ-concepts, and can be used for all S'HIQ reasoning problems 
(see Theorem 1); the second decides satisfiability (and hence subsumption) of 
51-concepts in PSPACE. Please note that SHIfif (amd hence S'HIQ) no longer 
has the finite model property: for example, the following concept, where ii is a 
transitive super-role of F, is satisfiable, but each of its models has an infinite 
domain. 

-C n 3F~.{C n < 1 F) n Vi?-.(3F-.(C n $1F)) 

This concept requires the existence of an infinite F~-path, where the first 
element on the path satisfies ->C while all other elements satisfy C D ^IF. 
This path cannot collapse into a cycle: (a) it cannot return to the first element 
because this element cannot satisfy both C and ->(7; (b) it cannot return to any 
subsequent element on the path because then this node would not satisfy ^IF. 

The correctness of the algorithms we are presenting cam be proved by show- 
ing that they create a tableau for a concept iff it is satisfiable. For ease of con- 
struction, we assume all concepts to be in negation normal form (NNF), that is, 
negation occurs only in front of concept names. Any S'HIQ-concept cam easily be 
tramsformed to am equivailent one in NNF by pushing negations inwards [HNS90]; 
with ~C we denote the NNF of -iC. For a concept C in NNF we define clos{C) 
as the smallest set of concepts that contains C and is closed under subconcepts 
amd ~. Please note that size of clos{C) is lineairly bounded by the size of C. 

Definition 3. Let D be a S'HIQ-concept in NNF, TV' a role hierarchy, and 
Rd the set of roles occurring in D and 'R)' together with their inverses. Then 
T = (S,ti,E) is a tableau for D w.r.t. 'R^ iff S is a set of individuals, £ : S -> 
2 cJo»(d) jjjapg gdc/, individual to a set of concepts, £ : Rd 2^^^® maps each 
role to a set of pairs of individuals, and there is some individual s ES such that 
D € Lj{s). Furthermore, for all s,t € S, C,C\,C 2 G clos{D), and R,S E Rd> it 
holds that: 

1. if C E L>{s), then -<C ^ -C(s), 

2. if Cl n C 2 G £>(s), then Ci E L(s) and C 2 E C(s), 

3. if Cl U C 2 G Lj{s), then C\ E -C(s) or C 2 G £<(s), 

4 . if^S.C E L{s) and (s,t) E £(5), then C E L{t), 

5. ifBS.C E £<(s), then there is some t ES such that (s, t) E £(5) and C E <C(t), 
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6. if'iS.C e jC(s) and (s, t) e £(ii) for some R^S with Trans(i?), then 'iR.C G 
L{t), 

7. {x,y)eE{R) iff {y,x) e £i\n^,iR)), 

8. if {s, t) € £{R) and R^S, then (s,t) € £{S), 

9. if {^n S C) £ >C(s), then iS^(s,C) $ n, 

10. if {^n SC) e L(s), then t(5’’(s,C) ^ n, 

11. »/ (m n S C) £ H{s) and (s,t) £ £(S) then C £ L{t) or ~C £ L{t), 
where we use txi as a placeholder for both ^ and ^ and we define 

S^(s,C) ~{t£S\ {s,t) £ £{S) and C £ L(t)}. 

Tableaux for SX-concepts are defined analogously and must satisfy Properties 
1-7, where, due to the absence of a role hierarchy, 2 is the identity. 

Due to the close relationship between models and tableaux, the following 
lemma can be easily proved by induction. As a consequence, an algorithm that 
constructs (if possible) a tableau for an input concept is a decision procedure for 
satisfiability of concepts. 

Lemma 2. A SRIQ-concept (resp. SX-concept) D is satisfiable w.r.t. a role 
hierarchy VA' iff D has a tableau w.r.t. . 

3.1 Reasoning in STilQ, 

In the following, we give an algorithm that, given a 5?fIQ-concept D, decides 
the existence of a tableaux for D. We implicitly assume an arbitrary but fixed 
role hierarchy TV' . The tableaux algorithm works on a finite completion tree (a 
tree some of whose nodes correspond to individuals in the tableau, each node 
being labelled with a set of <S?fIQ-concepts), and employs a blocking technique 
[HS99] to guarantee termination: If a path contains two pairs of successive nodes 
that have pair-wise identical label and whose connecting edges have identical 
labels, then the path beyond the second pair is no longer expanded, it is said to 
be blocked. Blocked paths can be “unravelled” to construct an infinite tableau. 
The identical labels make sure that copies of the first pair and their descendants 
can be substituted for the second pair of nodes and their respective descendants. 

Definition 4. A completion tree for a STiXQ-concept D is a tree where each 
node X of the tree is labelled with a set L{x) C clos{D) and each edge {x,y) 
is labelled with a set L((x,j/)) of (possibly inverse) roles occurring in clos{D); 
explicit inequalities between nodes of the tree are recorded in a binary relation 
^ that is implicitly assumed to be symmetric. 

Given a completion tree, a node y is called an i? -successor of a node x iff y 
is a successor of x and S £ L{{x,y)) for some S with 5 OiZ. A node y is called 
an iZ-neighbour ofx iffy is an R-successor of x, or if x is an Inv(iZ) -successor 
of y. Predecessors and ancestors are defined as usual. 

A node is blocked iff it is directly or indirectly blocked. A node x is directly 
blocked iff none of its ancestors are blocked, and it has ancestors x', y and y' 
such that 
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1. X is a successor of x' and y is a successor ofy' and 

2. C(x) = L(y) and C,(x'} = -C(y') and 

3. L{{x',x)) =L{{y',y)). 

In this case we will say that y blocks x. Since this blocking technique involves 
pairs of nodes, it is called pair-wise blocking. 

A node y is indirectly blocked iff one of its ancestors is blocked, or it is 
a successor of a node x and L{{x,y)) = 0; the latter condition avoids wasted 
expansions after an application of the ^-rule. 

For a node x, L(x) is said to contain a clash iff {A,->A} C L{x) or if, for 
some concept C, some role S, and some n € N; n S C) e -C(x) and there 
are n -I- 1 S -neighbours yo,...,yn of x such that C £ ■C(j/i) and y, ^ yj for 
all 0 < i < j < n. A completion tree is called clash-free iff none of its nodes 
contains a clash; it is called complete iff none of the expansion rules in Figure 2 
is applicable. 

For a SHIQ-concept D, the algorithm starts with a completion tree consisting 
of a single node x with L(x) = (D) and = 0. It applies the expansion rules 
in Figure 2, stopping when a clash occurs, and answers “D is satisfiable” iff the 
completion rules can be applied in such a way that they yield a complete and 
clash-free completion tree. 

The soundness and completeness of the tableaux algorithm is an immediate 
consequence of Lemmas 2 and 3. 

Lemma 3. Let D be an SHIQ-concept. 

1. The tableaux algorithm terminates when started with D. 

2. If the expansion rules can be applied to D such that they yield a complete 

and clash-free completion tree, then D has a tableau. 

3. If D has a tableau, then the expansion rules can be applied to D such that 

they yield a complete and clash-free completion tree. 

The proof can be found in the appendix. Here, we will only discuss the 
intuition behind the expansion rules and their correspondence to the constructors 
of SHIQ. Roughly speaking,^ the completion tree is a partied description of a 
model whose individuals correspond to nodes, and whose interpretation of roles 
is taken from the edge labels. Since the completion tree is a tree, this would not 
yield a correct interpretation of transitive roles, and thus the interpretation of 
transitive roles is built via the transitive closure of the relations induced by the 
corresponding edge labels. 

The D-, U-, 3- and V-rules are the standard tableaux rules for ACC or the 
propositional modal logic K„,. The V+-nile is the standard rule for ACCjt+ or the 
propositional modEd logic 54^ extended to deal with role-hierarchies as follows. 
Assume a situation that satisfies the precondition of the V+-rule, i.e., V5.C € 

* For the following considerations, we employ a simpler view of the correspondence be- 
tween completion trees and models, and need not bother with the path construction 
mentioned above. 
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D-rule: 


if 1. 




2. 




then 


U-rule: 


if 1. 




2. 




then 


3-rule; 


if 1. 




2, 




then 


V-rule: 


if 1. 




2. 




then 


V+-rule; 


if 1. 




2. 




3. 




then 


choose-rule: 


if 1. 




2. 




then 


^-rule: 


if 1. 




2. 




then 


^-rule: 


if 1. 




2. 




then 



Cl n C 2 6 ■Ci(x), X is not indirectly blocked, and 
{Ci.Ca} g£.(x) 

£(x) — >£,(x)U{Ci,C 2 } 

Cl U C 2 € <Ci(x), X is not indirectly blocked, tind 
{Ci,C 2 }n-c(x) = 0 

-C(x) — > 'C(x) U {C} for some C 6 {Ci , C 2 } 

3S.C € -C(x), X is not blocked, and 

X has no S-neighbour y with C e •C-(y), 

create a new node y with L{{x,y)) = {5} and £-(t/) = {C} 

V5.C € £/(x), X is not indirectly blocked, and 
there is an S-neighbour y of x with C ^ ^{y) 
L{y)-^Si{y)K^{C} 

'iS.C 6 X is not indirectly blocked, and 
there is some R with Trans(f?) emd R^S, 
there is an ii-neighbour y of x with Vfi.C ^ /C(y) 
XL(y)->iL(y)U{VR.C} 

(m n S C) G £<(x), X is not indirectly blocked, and 
there is an S-neighbour y of x with {C, ~C} ft C(y) = 0 
jC(y) — > L(y) U {E] for some E € {C, ~C) 

n S C) € JCj(x), X is not blocked, and 
there are not n S-neighbours yi , • • ■ , {in of x with 
C e lL(yO and y< ^ y^ for 1 < » < j < n 
create n new nodes yi,...,yn with il'((x,yi)) = {S}, 

^(y*) = {C}, and yi # y, for 1 < i < j < n. 

n S C) € .CCx), X is not indirectly blocked, and 
HS^(x,C) > 71 and there are two S-neighbours y,z of x with 
C € jC(y),C € y is not an ancestor of x, and not y # 2 

1. jC( 2 ) — ^ C{z) U £<(y) and 

2. if 2 is an ancestor of x 

then £,(( 2 ,x)) — > lL({ 2 ,x)) U lnv(J:/((x,y))) 
else L{{x, z)) — >• a({x, z)) U £((x, y)) 

3. £-((x,y» — ^0 

4. Set u / 2 for all t( with u^y 



Fig. 2. The complete tableaux exptinsion rules for SIHQ 



C(x), and there is an iZ-neighbour y of x with Trans(i?), i? E S and Vi?.C ^ £-(y). 
K y has an Jl-successor 2 , then, due to the transitivity of R, z is also an R- 
successor of x. Since ii E S, it is also an S-successor of x and hence must satisfy 
C. This is ensured by adding VR.C to £<(z) 

The rules dealing with qualifying number restrictions work similcirly to the 
rules given in [BBH96]. For a concept n R C) G £/(x), the ^-rule generates 
n iZ-successors yi,-..,yn of x with C € ■C(yi) . To prevent the ^-rule from 
indentifying the new nodes, it also sets y* ^ yj for each 1 < i < j < n . 
Conversely, if n iZ C) £ £(i) and x has more than n iZ-neighbours that are 
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labelled with (7, then the ^-rule chooses two of them that are not in ^ and merges 
them, together with the edges connecting them with x. The definition of a clash 
takes caxe of the situation where the ^ relation madces it impossible to merge 
any two jR-neighbours of x, while the cAoose-rule ensures that all ^-neighbours 
of X are labelled with either C or ~(7. Without this rule, the unsatisfiability 
of concepts like 3 i? A) D 1 ii B) n 1 i? ->B) would go undetected. 
The relation ^ is used to prevent infinite sequences of rule applications for 
contradicting number restrictions of the form n RC) and (m) R C), with 
n > m. Labelling edges with sets of roles allows a single node to be both an R 
and 5-successor of x even if R and 5 are not comparable with respect to E . 

The following theorem is an immediate consequence of Lemma 2 and 3, and 
Theorem 1. 

Theorem 2. The tableaux algorithm is a decision procedure for the satisfiability 
and subsumption of SRIQ-concepts with respect to terminologies. 

3.2 A PSpace-algorithm for SI 

To obtain a (worst-case) optimal algorithm for 52, the S7HQ algorithm is 
modified as follows, (a) Since 52 does not allow for qualifying number restrictions 
the ^-, ^-, and choose-rule can be omitted. In the absence of the choose-rule we 
may assume all concepts appearing in labels to be in NNF from the (smaller) set 
of all subconcepts of D denoted by sub{D), and in the absence of role hierarchies, 
edge labels can be restricted to roles (instead of sets of roles). Due to the absence 
of number restrictions the logic still has the finite model property, and blocking 
no longer need involve two pairs of nodes with identical labels, but only two nodes 
with (originally) identical labels, (b) To obtain a PSpace algorithm, we employ 
a refined blocking strategy which further loosens this “identity” condition to a 
“similiirity” condition. This is achieved by using a second label ® for each node. 
In the following, we will describe and motivate this blocking technique; detailed 
proofs as well as ^ul extension of this result to SIM cem be found in [HST98]. 

Establishing a PSPACE-result for 52 is not as straightforward as it might 
seem at a first glcince. One problem is the presence of inverse roles which might 
lead to constraints propagating upwards in the tree. This is not compatible with 
the standard trace technique [SS9l] that keeps only a single path in memory at 
the same time, because constraints propagating upwards in the tree may have 
an influence on paths that have already been visited and have been discarded 
from memory. There are at least two possibilities to overcome this problem: (1) 
by guessing which constraints might propagate upwards beforehand; (2) by a 
reset-restart extension of the trace technique described later in this section. Un- 
fortunately, this is not the only problem. To apply either of these two techniques, 
it is adso necessary to establish a polynomial bound on the length of paths in the 
completion tree. This is easily established for logics such as ACC that do not al- 
low for transitive roles. For ACC with tr£msitive roles (i.e., 5), this bound is due 
to the fact that, for a node x to block a node y, it is sufficient that L{y) CC{x). 
In the presence of inverse roles, we use a more sophisticated blocking technique 
to establish the polynomial bound. 
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n-rule: if 1. Ci H C 2 € -C(i) and 
2 . {CuC2}%L[x) 
then C(x) — >■ L(x) U {Ci, C 2 } 

U-rule: if 1. Ci U C 2 G ^(x) and 
2. {C'i,C2}n/L(a:) = 0 

then C(x) — > L{x) U {C} for some C € {C7i, C 2 } 

V-rule: if 1. WS.C G £i(x) and 

2. there is an 5-successor y of x with C 0 ®(j/) 
then L{y) — > L{y) U {C} and 
ny) — ^ ®(y) U {C) or 

2’. there is an 5-predecessor y of x with C ^ •C(y) 
then L{y) — Si,(y) U {C}. 

V+-rule: if 1. V5.C G fi{x) and Trans(5) and 

2. there is an 5-succ. y of x with V5.C ^ ®(y) 
then L(y) — > £<(y) U {V5.C} and 
B(y) — > 2(y) U {V5.C} or 
2’. there is an 5-predecessor y of x with V5.C 0 £-(y) 
then XL(y) — > C,(y) U {V5.C}. 

3-rule: if 1. 35.C e iL(x), x is not blocked and no other rule 
is applicable to any of its ancestors, and 
2. X has no 5-neighbour y with C G •C(y) 
then create a new node y with JL{{x,y)) = S and L{y) = ®(y) = {C} 



Fig. 3. Tableaux expansion rules for SI 

Definition 5. A completion tree for an SI concept D is a tree where each node 
X of the tree is labelled with two sets ®(x) C £(x) C sub{D), and each edge (x,y) 
is labelled with a (possibly inverse) role L((x,y}) occurring in sub{D). 

R-neighbours, -successors, and -predecessors are defined as in Definition 4 
where, in the absence of role hierarchies, 2 is the identity on R. 

A node x is blocked iff x has a blocked ancestor y, or x has an ancestor y 
and a predecessor x' with £<((x',x)) = 5, and 

®(x) C £,(y) and L(x)/ inv{S) — L{y)/ \nv{S), 

where £<(x)/lnv(5) = {Vlnv(5).C7 G ■C.(x)}. 

For a node x, £<(x) is said to contain a clash iff {A,-^A} C jC(x). A comple- 
tion tree to which none of the expansion rules given in Figure 3 is applicable is 
called complete. 

For an SX-concept D, the algorithm starts with a completion tree consisting 
of a single node x with ®(x) = £(x) = {D}. It applies the expansion rules in 
Figure 3, stopping when a clash occurs, and answers “D is satis fiable” iff the 
completion rules can be applied in such a way that they yield a complete and 
clash-free completion tree. 

As for SRIQ, correctness of the algorithm can be proved by first showing 
that a 51-concept is satisfiable iff it has a tableau, and next proving the 51- 
analogue of Lemma 3, see [HST98]. 
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Theorem 3. The tableaux algorithm is a decision procedure for satisfiability and 
subsumption of SX-concepts. 

Since blocking plays a major role both in the proof of Theorem 3 and espe- 
cially in the following complexity considerations, we will discuss it here in more 
detail. Blocking guarantees the termination of the algorithm. For DLs such as 
AjOC, termination is mainly due to the fact that the expansion rules can only 
add new concepts that are strictly smaller than the concept that triggered their 
application. 

For S this is no longer true: the V+-rule introduces new concepts that are the 
same size as the triggering concept. To ensure termination, nodes labelled with 
a subset of the label of an ancestor are blocked. Since rules can be applied “top- 
down” (successors are only generated if no other rules aure applicable, and the 
labels of inner nodes are never touched again) and subset-blocking is sufficient 
(i.e., for a node x to be blocked by an ancestor y, it is sufficient that H,(x) C L(y)), 
it is possible to give a polynomial bound on the length of paths. 

For SX, dynamic blocking was introduced in [HS99], i.e., blocks are not es- 
tablished on a once-and-for-all basis, but established and broken dynamically. 
Moreover, blocks must be established on the basis of label equality, since value 
restrictions can now constrain predecessors as well as successors. Unfortunately, 
this may lead to completion trees with exponentially long paths because there 
are exponentially many possibilities to label sets on such a path. Due to the 
non-deterministic U-rule, these exponentially many sets may actually occur. 

This non-determinism is not problematical for S because disjunctions need 
not be completely decomposed to yield a subset-blocking situation. For an op- 
timal SX algorithm, the aulditional label 3 was introduced to enable a sort 
of subset-blocking which is independent of the U-non-determinism. Intuitively, 
3{x) is the restriction of £/(i) to those non-decomposed concepts that x must 
satisfy, whereas L(i) contains boolean decompositions of these concepts as well 
as those that are imposed by value restrictions in descendemts. If i is blocked 
by y, then all concepts in ®(x) are eventuedly decomposed in >C(y). However, in 
order to substitute x by y, x’s constradnts on predecessors must be at least as 
strong as y’s; this is taken care of by the second blocking condition. 

Let us consider a path xo,xi,...,x„ where all edges are labelled R with 
Trans(/?), the only kind of path along which the length of the longest concept 
in the labels might not decrease. If no rules can be applied, then we have, for 
1 < i < n, 

£(xj+i)/ lnv(/Z) C £(xi)/ Inv(H) and 
®(x<) C ®(x,+i) U {CJ 

(where 3R.Ci € £(xj) triggered the generation of Xj+i). This limits the number 
of different labels and guarantees blocking eifter a polynomial number of steps. 

Lemma 4. The paths of a completion tree for a concept D have a length of at 
most m* where m = |s«6(D)|. 

Finally, a slight modification of the expansion rules given in Figure 3 yields 
a PSpace algorithm. This modification is necessary because the original algo- 
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rithm must keep the whole completion tree in memory — which needs exponential 
space even though the length of its paths is polynomially bounded. The original 
algorithm may not forget about branches because restrictions which me pushed 
upwards in the tree might make it necessary to revisit paths which have been 
considered before. A reset-restart mechanism solves this problem as follows: 

Whenever the V- or the V+-rule is applied to a node x and its predecessor y 
(Case 2’ of these rules), we delete all successors of y from the completion tree 
{reset). While this makes it necessary to restart the generation of successors for 
y, it makes it possible to implement the algorithm in a depth-first manner which 
facilitates the re-use of space. 

This modification does not affect the proof of soundness and completeness 
for the algorithm, but of course we have to re-prove termination [HST98] as it 
formerly relied on the fact that we never removed any nodes from the completion 
tree. Summing up we get; 

Theorem 4. The modified algorithm is a PSpace decision procedure for satis- 
fiability and subsumption of SX- concepts. 

4 The Undecidability of Unrestricted S'HIfsf 

Like earlier DLs that combine a hierarchy of (transitive and non-transitive) roles 
with some form of number restrictions [HS99; HST98], SUIN' only allows sim- 
ple roles in restrictions, i.e. roles that are neither transitive nor have transitive 
subroles. The justification for this limitation has been partly on the grounds of a 
doubtful semantics (of transitive functional roles) and partly to simplify decision 
procedures. In this section, we will show that aillowing arbitrairy roles in SHIN 
number restrictions leads to undecidability. For convenience, we denote SHIN 
with arbitrary roles in number restrictions by SHIN"^. 

The undecidability proof uses a reduction of the domino problem [Ber66] 
adapted from [BS96]. This problem asks whether, for a set of domino types, 
there exists a tiling of an grid such that each point of the grid is covered with 
exactly one of the domino types, amd adjacent dominoes are “compatible” with 
respect to some predefined criteria. 

Definition 6. A domino system T> = {D,H,V) consists of a non-empty set 
of domino types D = {Di,... ,D„}, and of sets of horizontally and vertically 
matching pairs H C D x D and V C D x D. The problem is to determine if, for 
a given T>, there exists a tiling o/ an N x N grid such that each point of the grid is 
covered with a domino type in D and all horizontally and vertically adjacent pairs 
of domino types are in H and V respectively, i.e., a mapping t : Nx N D such 
that for all m,n € N, {t{m,n),t{m l,n)) 6 H and (t(m,n),t(m,n -I- 1)) 6 V. 

This problem can be reduced to the satisfiability of SHXN'^ -concepts, and 
the undecidability of the domino problem implies undecidability of satisfiability 
of SHIN'*' -concepts. 

Ensuring that each point is associated with exactly one domino type and that 
a point and its neighbours satisfy the compatibility conditions induced by H and 




Practical Reasoning for Expressive Description Logics 173 



V is simple for most logics (via the introduction of concepts Coi for domino types 
Di, £md the use of value restrictions and boolean connectives), and applying such 
conditions throughout the grid is also simple in a logic such as which 

can deal with Mbitrary axioms. The crucial difficulty is representing the N x N 
grid using “horizontal” and “vertical” roles X and Y, and in particular forcing 
the coincidence oi X oY- and Y o X-successors. This can be accomplished in 
using an alternating pattern of two hori^ntad roles Xi and X 2 , and two 
vertical roles Ti and Y 2 , with disjoint primitive concepts A, B, C, amd D being 
used to identify points in the grid with different combinations of successors. The 
coincidence of X o y and V o X successors cem then be enforced using number 
restrictions on transitive super-roles of each of the four possible combinations of 
X and Y roles. A visualisation of the resulting grid £md a suitable role hierarchy 
is shown in Figure 4, where 5^ are transitive roles. 
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Fig. 4. Visualisation of the grid aad role hierarchy. 



The alternation of X and Y roles in the grid meems that one of the transitive 
super-roles Sij connects each point (m,n) to the points (m-l-l,n), (m,n+l) and 
n-f-1), and to no other points. A number restriction of the form ^3Sij can 
thus be used to enforce the necessary coincidence of XoF- and Y oX-successors. 
A complete specification of the grid is given by the following axioms: 

A c -.5 n -.c n -.D n 3Xi .B n 311 .C n ^3Sn , 

B c -.A n -.c n -iZ? n 3 X 2 .A n 3ri .D n ^ 3 S 2 i , 

C c -lA n -<B n -<D n 3Xi .D n 311 . A n $35i2, 

D c ->A n -iB n -<C n 3 X 2 .C n 311. B n ^3522. 

It only remains to add axioms which encode the loced compatibility conditions 
(as described in [BS96]) amd to assert that A, B, C, and D are subsumed by the 
disjimction of all domino types to enforce the plEw:ement of a tile on each point 
of the grid. The concept A is now satisfiable w.r.t. the various axioms (which 
can be internalised as described in Lemma 1) iff there is a compatible tiling of 
the grid. 
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5 Discussion 

A new DL system is being implemented based on the SV-XQ 8ilgorithm described 
in Section 3.1. Pending the completion of this project, the existing FaCT sys- 
tem [Hor98] has been modified to deal with inverse roles using the STiXQ block- 
ing strategy, giving a DL which is equivalent to STH extended with functional 
roles [HS99]; we will refer to this DL as S'HXT and to the modified FaCT system 
as I-FaCT. 

I-FaCT has been used to conduct some initial experiments with a terminology 
representing (fragments of) databcise schemata and inter schema assertions from 
a data warehousing application [CDL‘*'98] (a slightly simplified version of the 
proposed encoding was used to generate SWOT terminologies). I-FaCT is able to 
classify this terminology, which contauns 19 concepts and 42 axioms, in less than 
0.1s of (266MHz Pentium) CPU time. In contrast, eliminating inverse roles using 
an embedding technique [CDR98] gives an equisatisfiable FaCT terminology with 
an additional 84 axioms, but one which FaCT is unable to classify in 12 hours 
of CPU time. 

An extension of the embedding technique czin be used to eliminate number 
restrictions [DL95], but requires a target logic which supports the transitive 
closure of roles, i.e., converse-PDL. The even larger number of axioms which 
this embedding would introduce makes it unlikely that tractable reasoning could 
be performed on the resulting terminology. Moreover, we are not aware of any 
algorithm for converse-PDL which does not employ a so-called cut rule [DM98], 
the application of which introduces considerable additional non-determinism. 
It seems inevitable that this would lead to a further degradation in empiric 2 il 
tractability. 

As far as complexity is concerned, we have already been successful in extend- 
ing the PSPACE-result for SX to SXAf [HST98]. Currently we are working on an 
extension of this result to SXQ combining the techniques from this paper with 
those presented in [Tob99]. 
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Appendix 

In this appendix we present the proof of Lemma 3, which is repeated here for 
easier reference. 

Lemma. Let D be an S'HIQ-concept. 

1. (Termination) The tableaux algorithm terminates when started with D. 

2. (Soundness) If the expansion rules can be applied to D such that they yield 
a complete and clash-free completion tree, then D has a tableau. 

3. (Completeness) If D has a tableau, then the expansion rules can be applied 
to D such that they yield a complete and clash-free completion tree. 

(Termination) Let m ■ |c/os(D)l, k = IRd], and n^ax the maximum n that oc- 
curs in a concept of the form (m n S C) E clos(D). Termination is a consequence 
of the following properties of the expansion rules; 

- The expansion rules never remove nodes from the tree or concepts from node 
labels. Edge labels can only be chzmged by the ^-rule which either expands 
them or sets them to 0; in the latter case the node below the 0-labelled edge 
is blocked and this block is never broken. 

- Each successor of a node x is the result of the application of the 3-rule or the 
^-rule to X. For a node x, each concept in L(x) can trigger the generation 
of successors at most once. 

For the 3-rule, if a successor yofx was generated for a concept 3S.C G L(x) 
and later L({x,y)) is set to 0 by the ^-rule, then there is some S-neighbour 
2 of X with C e £<( 2 ). 

For the ^-rule, if 1 / 1 , . . . ,j/n were generated by the ^-rule for n S C) E 
£{x), then yi ^ yj holds for all 1 < i < y < n. This implies that there are 
always n 5-neighbours y y'„ of x with C E <C(j/^) and ^ y'j for all 
1 < i < j < n, since the ^-rule never merges two nodes with yj # yj, 
and, whenever an application of the ^-rule sets L((x, yj)) to 0, there is some 
5-neighbour 2 of x which “inherits” both C eind £ill inequalities from yf. 
Since clos{D) contains a total of at most m 3R.C and n S C) concepts, 
the out-degree of the tree is bounded by m • Umax- 

- Nodes are labelled with non-empty subsets of clos(D) and edges with subsets 

of i?D, SO there are at most 2^"** different possible labellings for a pair of 
nodes and an edge. Therefore, if a path p is of length at least 2^”**, then from 
the pair-wise blocking condition there must be two nodes x, y on p such that 
X is directly blocked by y. Furthermore, if a node was generated at distcince 
£ from the root node, it always remains at this disteince, and thus paths eire 
not curled up or shortened. Since a path on which nodes are blocked cannot 
become longer, paths are of length at most 2^”*". □ 

(Soundness) Let T be a complete cind clash-free completion tree. A path is a 
sequence of pairs of nodes of T of the form p = [|?^, . . . , |?-]. For such a path 

we define Tail(p) ;= x„ and Tail'(p) := xj,. With [p|ff^] we denote the path 
, • • • , ^f^]. The set Paths(T) is defined inductively as follows: 

‘‘*0 *n *n-M 
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- For the root node xq of T, [^] 6 Paths(T), and 

- For a path p G Paths(T) and a node z in T: 

• if z is a successor of Tail(p) and z is not blocked, then [p||] G Paths(T), 
or 

• if, for some node j/ in T, y is a successor of Tail(p) and z blocks y, then 
[p|f] e Paths(T). 

Please note that, due to the construction of Paths, for p G Paths(T) with 
p = [p'l^], we have that x is not blocked, ar' is blocked iff i ^ x', and x' is never 
indirectly blocked. Furthermore, £-(x) = -C(x') holds. 

Now we can define a tableau T = (S,£,£) with: 

S = Paths(T) 

£(p)=£(Tail(p)) 

E{R) = {(p, y) G S X S I Either q = \p\^] and 

x' is an i?-successor of Tail(p) 
orp= [q\fr] and 

x' is an lnv(i?)-successor of Tail(y)}. 

Claim: T is a tableau for D with respect to 

We show that T satisfies all the properties from Definition 3. 

- D £ ■C([|^]) since D G £<(xo). 

- Property 1 holds because T is clash-free; Properties 2,3 hold because 
Tail(p) is not blocked and T is complete. 

- Property 4: Assume VS.C G £-(p) and (p,q) £ £{S). If q = \p\-p], then x' 
is an 5-successor of Tail(p) and thus C £ H{x') (because the V-rule is not 
applicable). Since H{q) = £-(x) = £<(x'), we have C £ •C(q). If p = [g|^], 
then x' is an lnv(5)-successor of Tail(g) and thus C £ /L(Tail(g)) (because x' 
is not indirectly blocked and the V-rule is not applicable), hence C £ L(q). 

- Property 5: Assume BS.C £ L(p). Define x := Tail(p). In T there is an 5- 
neighbour y of x with C G £-(y), because the 3-rule is not applicable. There 
are two possibilities: 

• y is a successor of x in T. If y is not blocked, then g := [p|^] G S and 
(p, g) G £(5) as well as C £ 'C(g). If y is blocked by some node z in T, 
then g := [p(|] G S. 

• y is a predecessor of x. Again, there are two possibilities: 

* p is of the form p = [g|^] with Tail(g) = y. 

* p is of the form p = [g|^] with Tail(g) = u ^ y. x only has one 
predecessor in T, hence u is not the predecessor of x. This implies 
X ^ x', X blocks x' in T, and u is the predecessor of x' due to the 
construction of Paths. Together with the definition of the blocking 
condition, this implies L((u,x')) = L((y,x}) as well as £.(«) = L(y) 
due to the pair-wise blocking condition. 

In aJl three cases, (p, g) G £(5) and C £ L(q). 
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- Property 6: Assume VS.C 6 jC(p), (j>,<l) S £(ii) for some i?E 5 with 
Trans(i?). If 9 = [p|^], then x' is an il-successor of Tail(p) 2md thus \fR.C e 
-C(x') (because otherwise the V+-rule would be applicable). From £,(9) = 
£(x) = £-(x') it follows that WR.C G £>(9). If p = [9lp]) then x' is an lnv( 5 )- 
successor of Tail(9) and hence Tail(9) is an iJ-neighbour of x'. Because x' 
is not indirectly blocked, this implies Vil-C G -C(Tail(9)) and hence Vi?.C 7 G 
£(9). 

- Property 11 : Assume (m n S C) £ £(p), (p,9) 6 £( 5 ). If 9 = [pIf 1 > 

then x' is an S-successor of Tail(p) and thus {C, ~C} D £-(x') ^ 0 (since 
the choose-rule is not applicable). Since £(9) = £(x) = £(x'), we have 
{C C} n £(9) 0 . If p = [^Ifr], then x' is an lnv(S)-successor of Tail(9) 

and thus {C, ~C} n£(Tail(9)) 5^ 0 (since x' is not indirectly blocked and the 
c/»oose-rule is not applicable), hence {C, £>£(9) ^ 0. 

- Assume Property 9 is violated. Hence there is somep G S with (^ n 5 C) G 
£(p) and iS'^(p,C) > n. We show that this implies US’’''(Tail(p),C 7 ) > n, 
in contradiction of either the clash-freeness or completeness of T. Define 
X := Tail(p) and P S^(p,C). Due to the assumption, we have |P > n. 
We distinguish two cases: 

• P contains only paths of the form 9 = [p|^]. We claim that the function 
Tail' is injective on P. Assume that there are two paths 9i,9i G P with 
9i # 92 and Tail'(9i) = Tail'(92) = y'. Then 91 is of the form 91 = 
\p\{yi,y')] and 92 is of the form 92 = [p|^] with j/i # j/2- K p' is not 
blocked in T, then Pi = p' = P2, contradicting pi # P2. If p' is blocked 
in T, then both pi and p2 block p', which implies pi = p2, again a 
contradiction. 

Since Tail' is injective on P, it holds that j}P = #Tail'(P). Also for each 
p' G Tail'(P), p' is an 5 -successor of x and C G £(p'). This implies 
tt 5 T(x,C) >n. 

• P contains a path 9 where p is of the form p = [9]^]. Obviously, P may 
only contain one such path. As in the previous case. Tail' is an injective 
function on the set P' := P\{9}, each p' G Tail'(P') is an 5 -successor of x 
and C G £(p') for each p' G Tail'(P'). To show that indeed jJ 5 ^(x, C) > n 
holds, we have to prove the existence of a further 5 -neighbour u of x with 
C G £(u) and u ^ Tail'(P'). This will be “supplied” by z := Tail(9). We 
distinguish two cases: 

* X = x'. Hence x is not blocked. This implies that x is an lnv( 5 )- 
successor of z in T. Since Tail'(P') contains only successors of x, we 
have that z ^ Tail'(P') and, by construction, z is an 5 -neighbour of 
X with C G £(-?)• 

* X x'. This implies that x' is blocked in T by x and that x' is an 
lnv( 5 )-successor of z in T. The definition of pairwise-blocking implies 
that X is an lnv( 5 )-successor of some node u in T with £(u) = £(z). 
Again, since Tail'(P') contadns only successors of x we have that 
u ^ Tail'(P') and, by construction, u is an 5 -neighbour of x and 
C G £(u). 
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- Property 10: Assume n S C) £ -C(p). Completeness of T implies that 

there exist n individuals j/i , . . . , j/n in T such that each is an 5-neighbour 
of Tail(p) and C € We claim that, for each of these individuals, there 

is a path qi such that (p, g<) € £(5), C € £<( 94 )) and 94 ^ 9 j for cill 1 < i < 
j < n. Obviously, this implies tt5^(p,C) ^ n. For each j /4 there are three 
possibilities: 

• 2/4 is an 5-successor of x and y/ is not blocked in T. Then 94 = [p| is 
a path with the desired properties. 

• 2/4 is an 5-successor of x and 2/4 is blocked in T by some node z. Then 
Qi = [p| A] is the path with the desired properties. Since the saune z may 
block severad of the yjs, it is indeed necessau-y to include 2/4 explicitly into 
the path to madce them distinct. 

• X is an lnv(5)-successor of 2 / 4 - There may be at most one such 2 / 4 . This 
implies that p is of the form p = [ 9 ]^] with Tail( 9 ) = 2 / 4 - Again, 9 has 
the desired properties and, obviously, 9 is distinct from aJl other paths 

Qj. 

- Property 7 is satisfied due to the symmetric definition of £. Property 8 

is satisfied due to the definition of ii-successor that takes into account the 
role hierarchy E . □ 

(Completeness) Let T = (S,£,£) be a tableau for D w.r.t. TV". We use this 
tableau to guide the application of the non-deterministic rules. To do this, we 
will inductively define a function tt, mapping the individuails of the tree T to S 
such that, for ecich x, y in T: 

£(x) C £( 7 r(x)) 'I 

if y is an 5-neighbour of x, then ( 7 r(x), 7 r(y)) € £(5) > (♦) 

X ^ y implies 7 r(x) / ir{y) J 

Claim: Let T be a completion-tree and tt a function that satisfies (♦). If a 
rule is applicable to T then the rule is applicable to T in a way that yields a 
completion-tree T' and an extension of tt that satisfy (*). 

Let T be a completion-tree and tt be a function that satisfies (*). We have to 
consider the various rules. 

- The n-rule: If Ci D £72 € L(x), then Ci H C 2 € L( 7 r(x)). This implies 
Ci,C-i € -C( 7 r(x)) due to Property 2 from Definition 3, and hence the rule 
cem be applied without violating (♦). 

- The U-riUe; If C\ € •C(x), then Ci UC 2 G £( 7 r(x)). Since T is a tableau. 

Property 3 from Definition 3 implies {Ci,C 72 } D -C( 7 r(x)) ^0. Hence the U- 
rule can add a concept E € {C\,C 2 } to L(x) such that L(x) C L{w{x)) 
holds. 

- The 3-rule: If 35.C e £<(x), then 35.(7 € L(7t(x)) ^lnd, since T is a tableau. 
Property 5 of Definition 3 implies that there is an element t E S such that 
( 7 r(x),t) 6 £(5) and C G •£((). The application of the 3-rule generates a new 
variable y with £-({x, y) = {5} and £-(y) = {(7}. Hence we set tt := 7 r[y i-> f] 
which yields a function that satisfies (♦) for the modified tree. 
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- The V-rule: If V5.C7 e >C(x), then VS.C G L{ir{x)), and if y is an 5- 
neighbour of x, then also (7r(x),7r(y)) € £(5) due to (*). Since T is a tableau, 
Property 4 of Definition 3 implies C 6 £,(7r(y)) and hence the V-rule can be 
applied without violating (*). 

- The V+-rule: If V5.C G £<(x), then V5.C7 G L{n{x)), and if there is some 
il ES with Trans(fl) and y is an il-neighbour of x, then also (7r(x),7r(y)) G 
£(iZ) due to (*). Since T is a tableau, Property 6 of Definition 3 implies 
ViJ.C G -C(7r(y)) and hence the V+-rule can be applied without violating (*). 

- The choose-rule: If (tx n S C) £ £-(x), then (tx n 5 C) G £/(7 t(x)), and, 
if there is an 5-neighbour y of x, then {7r(x),7r(y)) G £(5) due to (*). Since 
T is a tableau. Property 11 of Definition 3 implies {£7, ~C7} D /C(7r(y) ^ 0. 
Hence the choose-v\He can add an appropriate concept E G {C, ~C} to C>(x) 
such that L(y) C L(ir(y)) holds. 

- The ^-rule: If n 5 C) G <C(x), then n S C) £ £(7t(x)). Since T is a 

tableau. Property 10 of Definition 3 implies #5^(7r(x), C) ^ n. Hence there 
are individuals G S such that (7r(x),tj) G £(S), C G -C<(ti), and 

U ^ tj iox \ < % < j < n. The ^-rule generates n new nodes yi, . • - , yn- By 
setting 7T := 7r[yi ti , • • • yn in]> one obtains a function tt that satisfies 
(*) for the modified tree. 

- The ^-rule: If (< n 5 C) G -C(x), then n S C) £ L(7 t(x)). Since T is a 
tableau. Property 9 of Definition 3 implies jjS^(7r(x), C) ^ n. If the ^-rule 
is applicable, we have |5'^(x,C) > n, which implies that there are at least 
n -I- 1 5-neighbours yo, . . . ,yn of x such that C £ C(yi). Thus, there must 
be two nodes y,z £ {yo, . . . ,yn} such that 7r(y) = n{z) (because otherwise 
f5^(;r(x), C) > n would hold). From 7r(y) = tt{z) we have that y z camnot 
hold because of (*), and y,z can be chosen such that y is not an ancestor of 
z. Hence the ^-rule cem be applied without violating (*). 

Why does this cladm yield the completeness of the tableaux 2 ilgorithm? For 
the initi£il completion-tree consisting of a single node xq with £»(xo) = {D} cind 
^ = 0 we can give a function tt that satisfies (*) by setting 7r(xo) := sq for some 
So G S with D £ C{sq) (such an so exists since T is a tableau for D). Whenever 
a rule is applicable to T, it can be applied in a way that maintains (*), and, 
since the algorithm terminates, we have that emy sequence of rule applications 
must terminate. Properties (♦) imply that any tree T generated by these rule- 
applications must be clash-free as there are only two possibilities for a clash, aind 
it is easy to see that neither of these can hold in T: 

- T cannot contain a node x such that {C7, ->C} G £i(x) because L{x) C 
£.(7t(x)) 2 ind hence Property 1 of Definition 3 would be violated for 7r(x). 

- T cannot contain a node x with (^ n 5 C) G £»(x) 2 md n -I- 1 5-neighbours 

yo, ■ ■ - Vn of X with C G £«(yi) and y< ^ y^ for 0 < i < j < n because (^ 
n S C) £ £/(7t(x)), and, since yi yj implies 7r(yj) ^ 7r(yj), jt5^(7r(x), C) > 
n, in contradiction to Property 9 of Definition 3. □ 
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Abstract. TBoxes in their various forms Me key components of knowl- 
edge representation systems based on description logics (DLs) since they 
allow for a natural representation of terminologicEd knowledge. Largely 
due to a classical result given by Nebel [15], complexity amalyses for DLs 
have, until now, mostly failed to take into account the most b 2 tsic form 
of TBoxes, so-called acyclic TBoxes. In this paper, we concentrate on 
DLs for which reasoning without TBoxes is PSPACE-complete, and show 
that there exist logics for which the complexity of reasoning rem 2 uns in 
PSpace if acyclic TBoxes are added and also logics for which the com- 
plexity increases. This demonstrates that it is necessary to take acyclic 
TBoxes into account for complexity analyses. 



1 Introduction 

A core feature of description logics is their ability to represent and reason 
about terminological knowledge. Terminologic 2 il knowledge is stored in so-called 
TBoxes which madnly come in two flavours. So-c^llled acyclic TBoxes Eire sets 
of concept definitions that can be thought of as non-recursive macro defini- 
tions whereas general TBoxes eJIow to state equivalence of arbitrsury, complex 
concepts. In this paper, we consider the complexity of reasoning with acyclic 
TBoxes.^ Surprisingly, adthough computationEd complexity of reasoning is a ma- 
jor topic in description logic research, most complexity results available concen- 
trate either on reasoning without TBoxes or on reasoning with general TBoxes 
(see, e.g., [7], [8], [9], and [10]). 

There are two mEun reasons for this. The first reason is that acyclic TBoxes 
are a properly subsumed by general TBoxes. However, for many DLs, reasoning 
with acyclic TBoxes cam be expected to be less complex than reasoning with 
general TBoxes, auid, hence, it is interesting to know the exact complexity of 
reasoning with them. Moreover, there exist description logics for which reasoning 
with general TBoxes is undecidable but reasoning with acyclic TBoxes is not. 
In this case, it is obviously desirable to determine the complexity of reasoning 
with acyclic TBoxes. 

^ Hence, when tadking of TBoxes, we generally refer to cyclic TBoxes unless otherwise 
noted. 
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The second reason can be understood historically. Early DL systems used 
unfolding to reduce reasoning with acychc TBoxes to reasoning with concepts. 
Unfolding a concept C w.r.t. a TBox T means iteratively replacing concept 
names in C by their definitions given in T. For example, the result of unfolding 
the concept Man □ 3married-to. Wife w.r.t. the TBox 

{Man = -iFemale, Wife = Female n Married} 

yields ->Female fl 3married-to .{Female ft Married). In his seminal paper, Nebel 
showed that, in the worst case, unfolding may result in an exponential blow- 
up of the concept size [15]. Since the complexity of reasoning with description 
logics is usually not ExpSPACE-hard, this result shows that unfolding is not an 
adequate meains for treating TBoxes. Nebel also showed that in realistic, practical 
applications, the worst case is almost never encountered. Largely due to these 
results (and possibly misunderstandings of these results), complexity analyses 
of reasoning with acyclic TBoxes have long been neglected: First, one could 
(wrongly) think that reasoning with acyclic TBoxes is necessarily ExpSpace- 
hard, and that it is sensible to consider only general TBoxes since this — given the 
misunderstanding — does not seem to make things harder. Second, since the worst 
case seems not to occur in most practical applications, one could be tempted to 
think that unfolding is a proper tool for DL systems and that it is not rewarding 
to search for better alternatives. Last, if one is only interested in decidability of 
concepts w.r.t. acyclic TBoxes, unfolding is a technique which is easy to use and 
always applicable. 

For many DLs, reasoning without TBoxes is PSPACE-complete (see, e.g., [9], 
[12], [18]). Although the complexity of reasoning with acyclic TBoxes is rarely 
addressed formally, it is “common knowledge” in the DL community that, if 
reasoning without TBoxes is in PS PACE, then taking into account TBoxes does 
“usually” not increase complexity. This knowledge has been exploited for efficient 
practical reasoning with TBoxes [5], but has, to the best of our knowledge, never 
been used to obtain theoretical complexity results. This is even more surprising 
since Nebel showed that there exist DLs for which reasoning w.r.t. TBoxes is 
harder them reasoning with concepts, only (in Nebel’s case, complexity moved 
from P to NP) [15]. 

In this paper, we focus on logics for which “pure concept satisfiability” (i.e., 
concept satisfiability w.r.t. the empty TBox) is PS PACE-complete and explore 
the impact of TBoxes on the complexity of the basic DL reasoning tasks satisfi- 
ability and subsumption. It turns out that there exist logics for which reasoning 
remains in PSpace £md also DLs for which reasoning gets significantly harder. 
In the first part of this paper, we focus on ACC, the basic description logic for 
which pure concept satisfiability is in PSpace [17]. The “common knowledge” 
mentioned above is used to demonstrate how a pure ACC concept satisfiabil- 
ity algorithm using the so-called trace technique [17] can be modified to take 
into account TBoxes such that the resulting algorithm can still be executed in 
polynomial space. Roughly spe 2 iking, TBoxes have to be converted to a nor- 
mal form which allows the tracing algorithm to operate exclusively on concept 
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names (instead of concept expressions). Using the presented modification tech- 
nique, it is proved that satisfiability of ACC concepts w.r.t. acyclic TBoxes is 
still PSPACE-complete. 

In the second pairt of this paper, we show that this technique does not Al- 
ways work: there exist description logics for which pure concept satisfiability 
is PS PACE-complete but the extension by TBoxes makes reasoning harder. We 
identify ACC!F, i.e., the extension of ACXl with features, feature agreement and 
feature disagreement, to be such a logic. Pure concept satisfiability is known 
to be PSPACE-complete for this logic [11]. Using a reduction of a constrained 
version of the domino problem, it is proved that satisfiability of ACOF concepts 
w.r.t. TBoxes is NExpTiME-hard. Applying the modification technique from the 
first part to an existing algorithm, it is shown that it is also in NExpTime and 
hence NExpTiME-complete. 

2 Description Logics 

In this section, the description logic ACCT is introduced (see also [11]). All logics 
considered in this paper are fragments of ACCT. 

Definition 1. Let Nc, Nr, and Np be disjoint sets of concept, role, and feature 
names. A composition /i •••/n of features is called a feature chain. The set of 
ACCT concepts is the smallest set such that 

1. every concept name is a concept ("atomic concepts), and 
B. if C and D are concepts, R is a role or feature, and «i and U 2 are feature 
chains, then the following expressions are also concepts: -^C, Cf\D, CUD, 
'iR.C, 3R.C, ui4-«2, and «it«2- 

Let A be a concept name and C be a concept. Then A = C is a concept defi- 
nition. Let T be a finite set of concept definitions. A concept name A directly 
uses a concept name B in T if there is a concept definition A = C in T such 
that B appears in C. Let uses be the transitive closure of “directly uses”. T is 
called acyclic if there is no concept name A such that A uses itself in T. If T is 
acyclic, and, furthermore, the left-hand sides of all concept definitions in T are 
unique, then T is called a TBox. 

Let Ri,. . .,Rn be features or roles. We will use Vi?i ...Rn-C (3i?i . . . Rn-C) 
as an abbreviation for Vi?i.Vi ?2 ■ • • ViJn.C (3i?i.3i?2 . . . 3Rn-C). ACCT concepts 
which do not contain features are czJled ACC concepts. Next, we define the 
semantics of the language introduced. 

Definition 2. An interpretation X = (idj, -^) is a pair (Aj,-^). A% is called 
the domain and the interpretation function. The interpretation function maps 

— each concept name C to a subset of A%, 

— each role name R to a subset R^ of Ax x Ax, and 

— each feature name f to a partial function f^ from Ax to Ax- 
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//m = /i • • ■/* is a feature chain, then is defined as the composition f^o- ■ -o/^ 
of the partial functions /f , . . . Let the symbols C, D, R, U\, and «2 be de- 
fined as in Definition 1. The interpretation function can inductively be extended 
to complex concepts as follows: 
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An interpretation X is a model of a TBox T iff it satisfies for all 

concept definitions A = C in T. A concept C subsumes a concept D w.r.t. a 
TBox T (written D :<t C) iff C for all models X ofT-A concept C is 
satisfiable w.r.t. a TBox T iff there exists a model X of T such that ^ 0. 

Subsumption can be reduced to satisfiability since D -<r C" iff the concept 
Df\-<C is unsatisfiable w.r.t. T- Satisfiability can be reduced to subsumption 
since C is unsatisfiable w.r.t. T iff C -<r -L, where X is an abbreviation for 
A n -<A. 

Sometimes, generalized concept definitions Ccilled “general concept inclu- 
sions” (GCIs) are considered. A GCI has the form C Q D, where both C and 
D are (possibly complex) concepts. An interpretation I is a model for a GCI 
(7 C D iff C D^. TBoxes containing GCIs are cailled generalized. In this 
paper, we will not admit generalized TBoxes unless explicitly mentioned. 

2.1 Extending Completion Algorithms 

Most satisfiability algorithms for description logics are so-called completion algo- 
rithms, which check the satisfiability of concepts by trying to explicitly construct 
a canonical model. Completion algorithms are described by a rule set and a strat- 
egy to apply these rules. The rules operate on constraint systems, i.e., partial 
descriptions of models. Constrednts are comprised of objects, concepts and roles. 
In the following, we will present a completion algorithm for deciding satisfiability 
of A£C concepts w.r.t. the empty TBox which was first described in [17]. We 
will then show how this algorithm cm be modified to handle TBoxes. Both the 
original 2 ilgorithm and its extension can be executed in polynomial speice. The 
modification scheme presented is also applicable to a variety of other description 
logics. 

The algorithm requires ACC concepts to be in negation normal form. A 
concept is in negation normal form (NNF) iff negation occurs only in front of 
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atomic concepts. It is easy to see that any ACC concept can be converted into 
an equivalent one in NNF in linear time by exhaustively applying the following 
rewrite rules: 

— “i(C n D) — ^ (~'C U ~'D), -<(C U D) {~'C n “>P), -i—>C — > C 

- -> VR.-'C, -i(VE.C) 3E.-.C 

Definition 3. Let Oa be a set of object names. For a,b £ Oa, an ACC concept 
C, and R £ Nji, the expressions a : C and {a, b) : R are ACC constraints. A finite 
set of constraints S is called an ACC constraint system. Interpretations can be 
extended to constraint systems by mapping every object name to an element of 
Ax- The unique name assumption is not imposed, i.e. a^ = b^ may hold even 
if a and b are distinct object names. An interpretation X satisfies a constraint 

a-.C iff a^eC^, and (a,b):R iff {a'^ ,b^) £ R^ . 

An interpretation is a model of a constraint system S iff it satisfies all con- 
straints in S. 

To decide the satisfiability of an ACC concept C in NNF (w.r.t. the empty TBox), 
the algorithm starts with the constraint system So := {a : C} and repeatedly 
applies completion rules. If a constraint system is found which does not contain a 
contradiction and to which no completion rule is applicable, then this constraint 
system has a model, which implies the existence of a model for C w.r.t. the 
empty TBox. If no such constraint system can be found, C is unsatisfiable. One 
of the completion rules is nondeterministic, i.e., there is more than one possible 
outcome of a rule application. Hence, the described completion eilgorithm is a 
nondeterministic decision procedure, i.e., it returns satisfiable iff there is a way 
to make the nondeterministic decisions such that a positive result is obtmned. 

Definition 4. The following completion rules replace a given constraint system 
S nondeterministically by a constraint system S'. S' is called a descendant of 
S. An object a £ Oa is called fresh in S if a is not used in S. In the following, 
C and D denote concepts, R a role, and a and b object names from Oa ■ 

iln The conjunction rule. 

If a:C n D £ S, {a:C, a:D} ^ S, then S' := SO {a:C, a:D} 

Hu The (nondeterministic) disjunction rule. 

If a:C\JD £ S,{a:C,a:D}nS = <l\, then S' := Si) {a: C} V S' := 5U {a:D} 
R3C The exists restriction rule. 

If a:3R.C £ S, and there is no b £ Oa such that {{a,b):R, b:C} CS, 
then S' := SU {(a, b):R , b :C) where b £ Oa is fresh in S. 

RiC The value restriction rule. 

If a I'iR.C £ S and there is ah £ Oa such that (a,b) : R £ S A b : C ^ S , 
then S' ~SU{b:C} 

A constraint system S is called contradictory iff {a : C, a : ->C} C S for some 
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define procedure sat(5) 

while a rule r from {Rn, RU} is applicable to S 
S := apply{S, r) 
if S is contradictory then 
return unsatisfiable 
forall a:3R.D 6 S do 

Let 6 be an object name from 

if sat({6;i)} U {6:£ | a.'iR.E 6 S}) = unsatisfiable then 
retiurn unaatisfiable 
return satisfiable 



Fig. 1. The algorithm for deciding satisfiability of ACC concepts w.r.t. the empty 
TBox. 



a G Oa O'^d C e Nc- A constraint system to which no completion rules are 
applicable is called complete. 

Let apply be a function which takes a constraint system S and a completion rule 
r as argument, applies r once to an arbitrary set of constraints in 5 matching r’s 
premise and returns the resulting constraint system. The algorithm for deciding 
satisfiability of ACC concepts is given in Figure 1. It takes a constraint system 
{x ; C} as input and returns satisfiable if C is satisfiable w.r.t. the empty TBox 
and unsatisfiable otherwise. In order to describe the space requirements of the 
sat algorithm, a formal notion of the size of concepts is introduced. 

Definition 5. For a concept C, the size of C (denoted by ||C||^ is defined as 
the number of symbols (operators, concept and role names) it contains. For a 
TBox T, the size of T (denoted by \\T\\) is defined as the sum of the sizes of 
the right-hand sides of all concept definitions in T. The role depth of a concept 
C is the nesting depth of exists and value restrictions in C. 

In [17], it is proved that the described algorithm is correct and can be executed 
in polynomi3d space.^ The latter is a consequence of the following facts: 

— The recursion depth of sat is bounded by the role depth. 

— In each recursion step, the constraints in the constraint system 5 involve a 
single object, only. For each object, there cam be at most C?(||C||) constraints. 
The size of each constraint is bounded by 1|C|1. 

As already argued in the introduction, using unfolding to generalize sat to 
TBoxes is not a good choice since the space requirements of the resulting al- 
gorithm would no longer be polynomial. However, there exists a better strategy 
for degding with TBoxes, which is described in the following. 

In order to allow for a succinct definition of the extended algorithm, we need 
to introduce a special form of TBoxes. 

^ Schmidt-Schaufi emd Smolka present the algorithm in a different form. In the form 
presented here, the algorithm first appeared in [4]. 
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Definition 6. A TBox T is called simple iff it satisfies the following require- 
ments: 

— The right-hand side of each concept definition in T contains exactly one 
operator. 

- If the right hand side of a concept definition in T is ->A, then A does not 
occur on the left hand side of any concept definition in T. 

The following lemma shows that restricting ourselves to simple TBoxes is not a 
limitation. 

Lemma 1. Any TBox T can be converted into a simple one T' in linear time, 
such that T' is equivalent to T in the following sense: Any model for T' can be 
extended to a model for T and vice versa. 

Proof: The conversion can be done in three steps as follows. 

1. eliminate non- atomic negation, (i) convert the right-hand sides of all concept 
definitions_in T to NNF. (ii) For each definition A = C in T, add a new 
definition A = nnf(—>C), where nnf{->C) denotes the result of converting ->C7 
to NNF. (iii) For every atomic concept A occurring on the left-hand side of 
a concept definition in T, replace every occurrence of ->.4 in T with A. 

2. break up concepts. Exhaustively apply the following rewrite rules. In the 
following, C denotes a non-atomic concept and D an arbitrairy concept. 

- A = CI^D -)• A^ A' r\D, A' = C (and analogous for U) 

— A^ Dr\C -> A = Dr\ A\ A' = C (and amalogous for U) 

- d = 3R.C d = A' = C (and analogous for V) 

In all cases, A! is a concept name not yet used in T. Please note that if a 
definition A = -<C is in T, then, due to the first step, C is atomic and does 
not occur on the left-hand side of a concept definition. 

3. eliminate redundant names. For each concept definition A = A', where both 
A and A! are atomic, replace every occurrence of A! in T with A. Remove 
the definition from T. 

The correctness of the above procedure is easily seen. The loosened form of 
equivalence is necessary since T' contains Eidditional atomic concepts, and, fur- 
thermore, some “redundant” atomic concepts from T may not exist in T'. Let T 
be a TBox and T' be the result of applying the above procedure. The first step 
can be performed in linear time since NNF conversion needs linear time and the 
number of concept definitions is at most doubled. Since the number of rewrite 
rule applications in the second step is bounded by the number of operators in 
T, this step can also be performed in linear time. This obviously also holds for 
the third step. □ 

From the above result, it immediately follows that, for any TBox T, there 
exists an equivalent simple one T' such that ||T'|1 is of order 0(||T|1). We will 
now modify the sat algorithm to decide the satisfiability of am atomic concept 
A w.r.t. a simple TBox T. Using the modified algorithm, it is also possible 
to decide the satisfiability of non-atomic concepts C w.r.t. TBoxes T: Add a 
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definition A ^ C to T (where A is a new concept name in 7*), convert the 
resulting TBox to simple form and start the algorithm with (^4, T') where T' is 
the newly obtained TBox. The modified algorithm works on constraint systems 
of a restricted form. In constraints of the form a : C, C must be a concept name 
(which may be the left-hand side of a concept definition in T). 

Defiinition 7. Let A be an atomic concept and T he a simple ACjC TBox. Mak- 
ing use of the existing sat algorithm, an algorithm tbsat, which returns satisfiable 
if A is satisfiable w.r.t. T and unsatisfiable otherwise, is given as follows. 

1. Modify the completion rules o/sat as follows: In the premise of each com- 
pletion rule, substitute “a : C € S” by “a : A E S and A = C E T”. E.g., 
in the conjunction rule, “a : Cn D E S” is replaced by “a: A E S and A = 
ChDeT”. 

2. Start the sat algorithm with the initial constraint system {x : A}, where x is 
an arbitrary object name. Use the modified rules for the sat run. 

Unlike unfolding, the described algorithm has the advantage that it can be exe- 
cuted in polynomial space. 

Proposition 1. The tbsat algorithm is sound and complete and can be executed 
in polynomial space. 

Proof: Let {A, T) be an input to tbsat and let C be the result of unfolding A 
w.r.t. T. Please note that C is in NNF since T is in simple form. The correctness 
of tbsat can be proved by showing that a run of tbsat on input {A, T) yields the 
S 2 ime result as a run of sat on input C. This, in turn, can be proved by induction 
over the number of recursion steps. It is important to note that, at every point 
in the computation where a nondeterministic decision has to be made (deciding 
which rule to apply or deciding which consequence of the RU rule to use), the 
available choices are exactly the same for both edgorithms. 

It is an immediate consequence of the following facts that the tbsat algorithm 
can be executed in polynomial space. 

- The recursion depth of tbsat is bounded by ||T||. This is the case since (i) runs 
of tbsat on (^4, T) are equivalent to runs of sat on C and (ii) the role depth 
of C is boimded by ||T||.^ The second point can be seen as follows: Assume 
that the role depth of C exceeds ||T||. This means that the right hand side 
of a concept definition A' = 3R.D or A' = 'iR.D in T contributes to the role 
depth more thain once. From this, however, it follows that unfolding D w.r.t. 
T yields a concept containing A' which is a contradiction to the acyclicity 
ofT. 

— In each recursion step, the constraints in the constraint system 5 involve a 
single object, only. The number of constraints per object is bounded by the 
number of definitions in T and the maximum size of constraints is constant. 

□ 

^ I.e., although unfolding may lead to an exponential blow-up in concept size [15], the 
role depth is “preserved”. 
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The following theorem is an immediate consequence of the above result. 

Theorem 1. Deciding satisfiability of ACC concepts w.r.t. acyclic TBoxes is 
PSPACE-complete. 

The use of the presented modification scheme is not limited to ACC. In order 
to give an intuition of when the proposed modification can be applied to yield 
a PSpace algorithm, let us summarize why the modification is successful in the 
case of ACC. As a prerequisite, a completion algorithms is needed which uses 
tracing, i.e., which performs depth-first search over role successors. In the case of 
ACC, the recursion depth of this algorithm is bounded by the role depth of the 
input concept C. As opposed to the concept size, the role depth is “preserved 
by unfolding”, i.e., if a concept C is unfolded w.r.t. a TBox T, then the role 
depth of the unfolded concept C is linear in HCH -t- ||T||. This fact is used to 
argue that the recursion depth of the modified algorithm is linear in the size of 
its input. 

The other important point in the proof of Proposition 1 is that the ACC 
tracing algorithm considers constraints for only one object per recursion step 
and so does the modified algorithm. What is important here is, again, that 
the number of objects considered in a single recursion step is describable by a 
function which is “preserved by unfolding” (the constant 1 in the case of ACC). 

For a formalization of “preservation by unfolding” , the notion of a u-stable 
function (where “u” stands for unfolding) is introduced. A function / mapping 
concepts to natural numbers is called u-stable w.r.t. a description logic C iff the 
following holds: There exists an integer k such that, for all atomic concepts A 
and all C TBoxes T, if C is the result of unfolding A w.r.t. T, then /(C) is of 
order C(|1T|1*). As was shown in the proof of Proposition 1, the role-depth of 
concepts is an example for a u-stable function. An example for a function which 
is not u-stable is the size of concepts (as Nebel proved [15]). A rule of thumb 
can now be formulated as follows: 

The described modification can be applied to completion algorithms A 
which decide satisfiability for a logic C w.r.t. the empty TBox. Assume 
that A performs depth-first search over role- successors and can be exe- 
cuted in polynomial space. If A expands the constraints of a{C) objects 
per recursion step and A’s recursion depth is bounded by where 

C is the input concept and a and are functions which are u-stable 
w.r.t. C, then the modified algorithm can be expected to be executable in 
polynomial space. 

This rule of thumb can, e.g., be applied to the description logic ACCMTl 
(see [9]). ALCMlt extends ACC by (unqualified) number restrictions^ and role 
conjunction. 

Conjecture. Deciding the satisfiability of ACCMTZ concept w.r.t. TBoxes is a 
PSPACE-complete problem. 

* We follow Donini et al. 2 ind assume unary coding of numbers. 




190 Carsten Lutz 



Why is the rule of thumb applicable to ACCJ^TZ? Donini et al. [9] give a PSpace 
algorithm for deciding satisfiability of ACCNTi concepts w.r.t. empty TBoxes 
which performs depth-first search over role successors. Its recursion depth is 
bounded by the role depth of the input concept C. In each recursion step, con- 
straints for at most ex{C) 1 objects are expanded where ei(C') is the number 
of distinct existentially quantified subconcepts of C. It is easy to prove that 
ex( ) is a u-stable function. Assume that C is the result of unfolding ^m atomic 
concept A w.r.t. a TBox T and that ex{C) > ||T||. It follows that there exists 
a concept definition Bq = 3R.Bi in T such that Bo uses an atomic concept B^ 
(where possibly B\ = B^) and that B 2 can be replaced by different concepts 
during unfolding. This, however, is a contradiction to the definition of TBoxes, 
since the uniqueness of left-hand sides of concept definitions is mandatory. 

3 AJICT and TBoxes: The Lower Bound 

Given the modification scheme for satisfiability algorithms described in the pre- 
vious section, it is a natural question to ask if there are any relevant description 
logics for which reasoning w.r.t. the empty TBox is in PSpace but reasoning 
w.r.t. TBoxes is not. In the following, we will answer this question to the af- 
firmative by showing that the hardness of reasoning with the logic ACCT [11] 
moves from PSpace to NExpTime if TBoxes are admitted. 

A domino problem is given by a finite set of tile types. All tile types eire of 
the same size, each type has a quadratic shape and colored edges. Of each type, 
an unlimited number of tiles is available. The problem is to arrange these tiles 
to cover a torus® of exponential size without holes or overlapping, such that 
adjacent tiles have identical colors on their common edge (rotation of the tiles 
is not allowed). Please note that this is a restricted version of the (undecidable) 
general domino problem where a tiling of the first quadremt of the plane is asked 
for. 

Definition 8. Let V = (D, H, V) be a domino system, where D is a finite set of 
tile types and H,V C D x D. Let U{s,t) be the torus Z, x Zt, where Z„ denotes 

the set {0, ... ,n — 1}. Let w = Wo ,-- . , Wn-i be an n-tuple of tiles (with n < s). 

We say that T> tiles U (s, t) with initial condition w iff there exists a mapping 
T :U{s,t) D such that for all (x,y) G f/(s, t); 

- if r(x, y) = d and r(x ©, 1, y) = d' then (d, d') £ H 

- if r(x, y) = d and r(x, y ©t 1) = d! then (d, d') G V 

- r{i, 0) = Wi for 0 <i <n. 

where ©„ denotes addition modulo n. 

Borger et al. show that it is NEXPTiME-complete to decide if, for a given domino 
system V and a given n-tuple w, V tiles 17(2", 2") with initial condition w 
[6]. In the following, we will reduce this domino problem to satisfiability of 
ALCT concepts w.r.t. TBoxes. We will first give an informal explanation of 

® i.e., a rectangular grid whose edges are “glued” together 
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Fig. 2. The AC.CT reduction TBox T[2>, tu, n]: Tree definition. Substitute by 

(/.9>y) or {ri,v,x). 



how the reduction works and then formally prove its correctness. For the sake 
of readability, the reduction TBox T[T>, w, n] is split into two figures. Models 
of the reduction TBox represent solutions of insteinces of the domino problem. 
To be more precise, models of C w.r.t. T[D,w,n] (Figure 3) encode a grid of 
size 2" which has the form of a torus and is properly tiled by V. The nodes 
of the grid are represented by domain objects, horizontal edges are represented 
by the feature x and vertical edges by the feature y. Please note that the grid 
may “collapse”, i.e., the 2" x 2" nodes are not necessEirily distinct. Nevertheless, 
models of C w.r.t. T\D, w, n] define a tiling of the full 2" x 2” torus. 

The first task is to enforce two cyclic feature chains of length 2", which will 
be edges of the grid. This is done by defining a binary tree of depth n whose 
leaf nodes are connected by a cyclic feature chmn. The corresponding concept 
Treeo can be found in Figure 2. Please note that since two trees are needed, the 
TBox in the Figure has to be instcintiated twice, where (a, 0, 7) is substituted 
by {f,9,y) and (u,u,x), respectively. The first instantiation yields a y chain (of 
length 2") and the second one an x chmn. 

Consider the concept C in Figure 3, which glues together all the necess£iry 
building parts. It refers to the TrecQ concept to build up two trees and it enforces 
the identification of the “beginning” nodes in the two (cyclic) leaf chains. The 
next task is to build the remaing grid which is done by the Gridi concepts in 
Figure 3. The features di,. .. ,d„ are diagonals in the grid (each d,- spans 2*~^ 
“grid cells”) and play a central role in the grid definition. The use of these 
diagoncds allows the definition of the (exponentially sized) grid by a TBox of 
polynomial size. First observe that each object on the two cyclic feature chains 
(row 0 and column 0 of the torus to be defined) is in the extension of Grid„ 
and hence adso of Grido- Because of this, each object on the chains has d\, x, 
and y fillers such that the di filler coincides with the xy and yx filler. Together 
with the cyclicity of the initial feature chaiins, this properly defines row 1 and 
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Grido = xylyx □ xyldi n Tile 
Grid\ = Grido n did\ld 2 n 3<ii.Grt<io 



Gridfi—i — Gridji—2 ri i^n— i4'^n ^ ^dn~i‘Gridn—2 
Gridn = Gridn-i H 3dn-Gridn-i 

Tiie= U n n n -.(£>dnz?d-) 

d£V dev d' £T>\[d} 

ri(L»d-^3z. U Da>) 

dev' (d,d')eH 

n (Drf ^ 3y. U Di.) 

dev' ^ (d.d’)6V 



Init = 3«".(Z?uio n 3i.(£>u,i fl . . . ft 3i.(Z?ui„_2 ^ 3x.D-u,„_i) ■ • • )) 
C = Treeoif, 9: v) Treeo{u, v, x) D /"J-u" fl Init 



Fig. 3. The ALCT reduction TBox T[2?, w, n]; Grid definition euid tiling. 



column 1 of the torus. Since the objects on the initial chains are in the extension 
of Gridi, the objects on row 1 and column 1, which are di fillers of objects 
on the initial chains, Eire in the extension of Grido- Hence, we can repeat the 
argument for row/column 1 and conclude the proper definition of row/column 
2. Now observe that the objects on row/column 2 Eire d 2 fillers of the objects on 
the initial chain. Hence, they Eire in the extension of both the Grido and Gridi 
concept Eind we ceuq repeat the entire argument from above to derive the existence 
of rows/columns 3 and 4. This “doubling” ceui be repeated n times because of 
the existence of the features di , . . . , d„ and yields rows/columns 0, . . . , 2" of the 
torus. The cyclicity of the initial feature chEiins ensures that the edges of the 
grid are properly “glued” to form a torus, i.e., that row/column 2" coincides 
with row/column 0. Figure 4 shows a clipping from a grid as enforced by the 
reduction TBox. 

The grid represents the structure to be tiled. The finEil task is to define the 
tiling itself. Domino types are represented by atomic concepts Dd- Because of 
the definition of Grido, each node in the grid is in the extension of the concept 
Tile. The Tile concept ensures that, horizontsilly as well as vertically, the tiling 
condition is satisfied (we use C D as an abbreviation for ->(7 U £)). The Init 
concept enforces the initial condition w. In the following, a formEil proof of the 
correctness of the reduction is given. 

Proposition 2. Satisfiability and subsumption of ACCT concepts w.r.t. TBoxes 
is NExpTlME-hard. 
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Proof: 

(^) Let J be a model of C w.r.t. T[D,w,n]. To prove that T> tiles 17(2", 2") 
with initial condition w, it needs to be shown that there is a mapping r as 
introduced in Definition 8. 

As argued above, there exist 2" x 2" (not necessarily distinct) objects Ojj in 
Ax which form a torus w.r.t. the features x eind y, i.e., x^(ai,j) = 
and All objects in the torus £ire in the extension of the 

Tile concept. This concept encodes the properties required for r in Defini- 
tion 8. Hence, r czm be defined as follows; r := {(*, j, d) | Oj,j 6 Da}- This 
function is well-defined since the Tile concept ensures that none of the Uij 
is in the extension of two concepts Dd and Dd', where d^d'. 

(•^) Assume that the domino system V tiles f/(2",2") with initial condition w 
(which is of length n). This means that there exists a mapping r as defined 
in Definition 8. In the following, we define a model for C w.r.t. T\D,w,n]. 
The model has the form as discussed above: There ene two binary trees 
of depth n whose leaf nodes are connected by a feature chain. These two 
chains of length 2" are edges of a grid of size 2" x 2". The edges of the 
grid are “glued” together. Let the interpretation I be defined as follows: 

Ax = {ai,j I 0 < i,j < 2"} U {bij,Cij | 0 < i < n,0 < j < 2‘} 

/^(Vo) := hfl, 9^{bo,o) ■= hi,i, u^(i'o,o) := ci,o, w^(Vo) := Ci,i 

Vi,y wWe 0<i<n — 1, 0<y<2*: 

:= 6(j+i),(2j), := 6(j+i),(2j+i) 



VO < i < 2"-i : 

f^{b(n-l),i) •= ®0,(2i), 
W^(C(n— l),t) •“ ®(2i),0) 



l),i) ■— ®(2t-|-l),0 
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VO < < 2 " : x^ioij) := i)j, l/^(ojj) := i) 

VO < i, j < 2 ”, 1 < A: < n ; 4 Ki) == «(i©2n2<->),0e2-2<-*) 

W e D : Dj := {a^,y | r(x,y) = d} 

It is straightforward to verify that I is in fact a model for C w.r.t. T[T>, w, n]: 
The bij objects form a tree of depth n where edges 2ire labelled with / and 
g. The n-th level of the tree consists of the objects ao,o> • • • > ao,2" • Similarly, 
the Cij objects form a u, u-tree where the n-th level consists of the objects 
ao,o, • • • )02'»,o and the root is the object 6o,o- The Oij objects make up a 
grid w.r.t. the features x and y (and diagonals di) which satisfies the Tile 
concept since the extension of the D4 concepts is defined through the tiling 
r. Hence, it can be concluded that the object 60,0 is an instance of C w.r.t. 
T[V,w,n]. 

It is easy to verify that the size of T[ 2 ?,tw, n] is of order 0 (n^). Hence, the 
reduction can be performed in polynomial time. □ 

In contrast to agreements on roles (called “role value maps”), agreements on 
features 2ire frequently believed to “not harm” w.r.t. decidability and complexity. 
The presented reduction indicates that this is not always the case. Furthermore, if 
TBoxes eire extended with GCIs, the given reduction can easily be extended to an 
undecidability proof. Consider the following TBox; 

D = T 

T C 

T C Tile 

where Tile is defined as in Figure 3 . It induces a (possibly) infinite grid and 
satisfiability of D implies a complete tiling of the first quadrant.® Hence, decid- 
ability of ACCT with GCIs contradicts the undecidability of the general domino 
problem. For the reduction TBox, only the operators atomic negation, conjunc- 
tion, disjunction, feature agreement and existential quantification over features 
is required. The result just obtained is alreEidy known in feature logic (see [ 2 , 
Theorem 6 . 3 ], where it was proved by a reduction of the word problem for finitely 
presented groups). 

4 AJICT and TBoxes: The Upper Bound 

In order to prove that the satisfiability of AC£T concepts w.r.t. TBoxes is a 
NExpTiME-complete problem, it remains to be shown that the satisfiability of 
ACCT concepts w.r.t. TBoxes can be decided in nondeterministic exponential 
time. 

® The induced grid may cilso have the form of a torus since we don’t enforce distinct 
nodes. In this case, however, a tiling of the torus induces a periodic tiling of the first 
quadrant. 
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In [14], a completion algorithm for deciding satisfiability of ACCT{T>) con- 
cepts w.r.t. empty TBoxes is given which can be executed in polynomial space. 
ACCT{T>) is the extension of AC£T by so-called concrete domains. By remov- 
ing the completion rules and clash conditions dealing with the concrete domain, 
we will adapt this algorithm to ACCT. Furthermore, we will show that am ex- 
tension of the obtained algorithm to TBoxes as described in Section 2.1 can be 
executed in exponential time. The algorithm operates on constraint systems of 
the following form. 

Definition 9. Let f he a feature and a and b elements ofOA- Then, the follow- 
ing expressions are ACCT constraints; 

All ACC constraints, {a,b):f, a^b 

A finite set of ACCT constraints is called an ACCT constraint system. An in- 
terpretation for ACCT constraint systems is defined identically to interpretations 
for ACC constraint systems. An interpretation satisfies a constraint 

(a,b):f iff (a^,b^) E f^ and 
a^b iff a^jtb^. 

A constraint system S is said to contain a fork (for a feature /) if it contains the 
two constraints (a, b) :f and (a, c) : /. A fork can be eliminated by replacing all 
occurrences of c in 5 with b. During rule application, it is assumed that forks eure 
eliminated as soon as they appear (as an integral part of the rule application) 
with the proviso that newly generated object are replaced by older ones. 

Before the algorithm itself is described, we introduce the set of completion 
rules. In order to provide a succinct description of the rules, two auxiliary func- 
tions need to be defined. For an object a G Oa and a feature chain «, succs{a, u) 
denotes the object b that can be found by following u starting from o in «S. If no 
such object exists, succs(a, u) denotes the speciail object e that cannot be part 
of any constraint system. Let a,b E Oa and u = /i • • •/* be a feature chain. The 
function chain is defined as follows: 

chains(a,b,u) := {(o, ci) :/i, . . . , (cfc_i, 6) :/*} 

where the ci, . . . , Cfc_i E Oa are distinct and fresh in S. 

We now give the completion rules for the algorithm. 

Definition 10. The following completion rules replace a given constraint sys- 
tem S nondeterministically by a constraint system S'. In the following, C denotes 
a concepts, R a role, f a feature, U\ and U 2 feature chains, and a and b object 
names from Oa ■ 

iln , Ru As in Definition 4 
Rt^C The role exists restriction rule. 

If a : 3R. C E S and there is no b E Oa such that {{a,b):R, b:C} C S 
Then S' := SO {{a, b):R , b:C} where b E Oa is fresh in S. 
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RJBC The feature exists restriction rule (may create forks). 

If a: 3 f.C € S and there is no b ^ Oa such that {{a,b):f, b:C}CS 
Then S' := SU {(a, b):f , b:C} where b € Oa is fresh in S. 

RrNC The role value restriction rule. 

If a :'iR. C £ S and there is a b € Oa such that (a,b) : R E S A b : C ^ S 
Then S' ;= 5 U{ 6 :( 7 } 

RfiC The feature value restriction rule. 

If a:\ff.C 6 5 and there is ab £ Oa such that (a,b) : f&SAb\ C^S 
Then S' :=SU{b:C} 

il|. The agreement rule (may create forks). 

If a:«i4-«2 G S, there is no b £ Oa such that succs{a, ui) = succs{a, U2) = b 
Then So •.= S\J chains{a, b, «i) where b 6 Oa is fresh in S. 

S' := So U chainsoia, b, U2) 

iit The disagreement rule (may create forks). 

If o:uit«2 G S and there are no 61,62 G Oa such that 

succs{a, ui) = bi,succs{a, U2) = 62 and b\ ^ b2 & S 
Then So ■= SU chains{a, 61, «i) and S' So U chainso(a, 62, «2) U {61 ^ 62} 
where 61, 62 6 Oa are distinct and fresh in S. 

An ALCT constraint system S is called contradictory iff any of the following 
clash triggers apply: 

- Primitive clash; o: C 6 5, ai-iC € 5 

- Agreement clash; a E S 

The algorithm expects the input concept C to be in negation normeil form. 
Conversion to NNF can be done in linear time by applying the rules given in 
Section 2.1 together with the following rules: 

i(ui 4 -U 2 ) Vui.x U VU 2 -- 1 - U UifM2 

- -'(UitW2) -> VUl.X U Vtl2.X U Ui4-U2 

We are now ready to give the satisfiability algorithm itself. 

Definition 11. The function sat decides the satisfiability of ACC T concepts in 
NNF w.r.t. the empty TBox. To decide the satisfiability of the concept C, sat 
takes the input {x:C}. 

define procedure sat( 5 ) 

S' feature-complete(5) 
if S' contains a clash then 
return inconsistent 

forall a: 3 R.D E S', where R is a role, do 
Let 6 be an object name from Oa ■ 

if sat({6:D} U {b:E \ a:'<IR.E E 5 '}) = inconsistent then 
return inconsistent 
return consistent 




Complexity of Terminological Reasoning Revisited 197 



define procedure feature-complete(5) 

while a rule r from {Rr\, RU, Rf5C, Rfi C, Rl-, R\} is applicable to S do 
5 := apply (S,r) 
return S 

The correctness of the described algorithm can be easily seen; It corresponds 
to the algorithm given in [14] for deciding satisfiability of ACC!F{'D) concepts 
with all rules and clash triggers concerning the concrete part left out. Since the 
original algorithm is correct for ACC!F{T>), it is obviously also correct for ACCT. 
Furthermore, it can easily be verified that, if the original algorithm is started 
on an ACCT concept, no concrete domain operators or “concrete objects” are 
introduced during the algorithm run, and, hence, neither concrete domain related 
completion rules nor concrete domain related clash rules apply. Thus, they can 
savely be left away. 

Proposition 3. The sat algorithm is sound, complete, and terminates. 

We now investigate the extension of sat to TBoxes as described in Section 2.1. 
The extended algorithm is called tbsat amd takes a pair {A,T) as input, where A 
is an atomic concept and T is an ACCT TBox in simple form, tbsat is also capable 
of deciding satisfiability of non-atomic concepts w.r.t. TBoxes (see Section 2.1). 
The correctness of tbsat follows from the correctness of the original algorithm 
and the fact that a run of tbsat on (A, T) is equivalent to a run of sat on C, 
where C is the result of unfolding A w.r.t. T (see Section 2.1). It remains to 
determine the runtime of the extended algorithm. 

Proposition 4. The algorithm tbsat can be executed in exponential time. 

Proof: Let {A,T) be an input to tbsat. Let n denote ||T||. It needs to be shown 
that the number of rule applications performed by tbsat is exponential in n. 
This is a consequence of the next two claims, since each completion rule can be 
applied at most once per constraint (for the RVC rule, this holds for the (a, b) : R 
constraints) and constraints are never removed. 

1. Let p be the number of objects created during a tbsat run. p is exponential 
in n. 

2. For each objects a, there may exist at most exponentially many constraints 
which refer to a. 

In the following, we can savely ignore constraints of the form a ^ b since they 
do not appear in the premise of any completion rule. 

The validity of clciim 1 can be seen as follows: The recursion depth of tbsat 
is bounded by n since the recursion depth of sat is bounded by the role depth 
of its input (same argument as in the proof of Proposition 1). In each recursion 
step, at most n recursive calls are mcide. Hence, by (implicit) application of the 
Rr3C rule, at most n" = < 2" objects are generated. For each such 

object, the feature-complete function is called which may generate new objects by 
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application of the Rf3C, R4-, and Rt rules, feature-complete generates a structure 
which has the form of a tree in which some nodes may coincide. Outdegree and 
depth of this tree-like structure are bounded by n: The outdegree is bounded by 
the number of distinct features in T since there may be at most one successor per 
feature; the depth of the structure is bounded by n since in sat runs, its depth is 
bounded by the role depth (see again the argument in the proof of Proposition 1). 
Hence, the total number of objects generated is bounded by 2" * 2" which is 
obviously exponential in n. 

Concerning point 2, fix an object o in a constraint system S considered by 
tbsat. It is easy to see that there may be at most n constraints of the form 
a : C — one for each concept definition in T. Furthermore, there may be at most 
n constrcunts of the form (a, a') : /, since there cannot be more than one filler 
per feature (please note that constraints {a, a') : R are never explicitly created). 
There may, however, be n constraints (a', a) : f per object o'. Since the number of 
objects is exponentially bounded (point 1), the number of {a', a) : f constraints 
is also exponentially bounded. □ 

Combining Propositions 2 and 4, we obtain the following result. 

Theorem 2. Deciding the satisfiability of ACC T concepts w.r.t. acyclic TBoxes 
is NExpTiME-comp/ete. 



5 Conclusion 

TBoxes are an important component of knowledge representation systems using 
description logics. However, for most DLs, the exact complexity of reasoning 
with acyclic TBoxes has never been determinded. This paper concentrates on 
logics for which satisfiability w.r.t. the empty TBox is in PSpace and investi- 
gates how the presence of acyclic TBoxes influences the complexity of reasoning. 
In the first part of the paper, using the logic ACC, it is demonstrated how com- 
pletion algorithms for deciding “pure” concept satisfiability C 2 m be modified to 
take into account TBoxes such that the resulting algorithm can still be exe- 
cuted in polynomial space. Using the modified algorithm, it is proved that, for 
ACC, satisfiability w.r.t. acyclic TBoxes is in PSpace. We clzdm that the given 
modification scheme cam be applied to a variety of other description logics, too, 
amd give a rule of thumb for when the resulting ailgorithm can be executed in 
polynomial space. 

In the second part, it is proved that, for the logic AC£T, satisfiability 
w.r.t. acyclic TBoxes is NExpTiME-complete. In contraist, satisfiability of “pure” 
ACCT concepts is known to be PSPACE-complete and the satisfiability of ACjCT 
concepts w.r.t. general TBoxes is known to be undecidable. It is suprising that 
the complexity of reasoning moves up several steps in the complexity hierarchy 
if TBoxes aire aidded. ACCT is a common description logic appeairing as a frag- 
ment of severail more expressive DLs such as, e.g., the temporal logic T C- ACCT 
[1] or the logic ACCT{V) for reasoning with concrete domains [14]. Hence, sat- 
isfiability w.r.t. acyclic TBoxes is NExpTiME-hard for these logics, too. 
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For the description logic ACC{T>), similar complexity results as for ACCT can 
be obtained. The logic ACCiJ)) can be parameterized with a so-called concrete 
domain P, and, hence, the complexity of reasoning with ACC{T>) depends on 
the complexity of reasoning with the concrete domaiin P. On the one hand, 
satisfiability of ACC(P) concepts w.r.t. the empty TBox is PS PACE-complete 
provided that reasoning with the concrete domain P is in PSpace [14], On 
the other hand, there exist concrete domains P for which reasoning is in NP 
such that satisfiability of A£C{V) concepts w.r.t. acyclic TBoxes is NExpTime- 
complete [13]. 
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Abstract Datalog is a well-known database query language based on the logic 
programming paradigm. A general datalog program consists of a number of rules 
and facts. Programs containing a unique rule and possibly some facts are called 
single nde programs (sirups). We study both the combined and the program com- 
plexity of sirups, ie., the complexity of evaluating sirups over variable and fixed 
databases, respectively. Moreover, we study the descriptive complexity of sirups, 
i.e., their expressive power. In all cases it turns out that even very restricted classes 
of sirups have the same complexity and essentially the same expressive power as 
general datalog programs. We show that the evaluation of single clause programs 
is EXPTIME complete (combined complexity), and, if restricted to linear recur- 
sive rules, PSPACE complete. Moreover, sirups with one recursive rule and one 
additional fact capture PTIME on ordered structures, if a certain data represen- 
tation is assumed and certain predefined relations are provided. Our results are 
obtained by a uniform product construction which maps a datalog program into 
a single rule by essentially maintaining its semantics. We also prove that the dat- 
alog clause implication problem, i.e., deciding whether a datalog clause implies 
another one, is EXPTIME complete. 



1 Introduction 

Datalog is a deductive database query language based on logic program- 
ming [3,30,31,7], Intensive work was dedicated to the study of various complexity 
aspects of different versions of datalog; for a survey, see [10]. While the complexity 
of general datalog is well understood, certain complexity issues concerning single rule 
datalog programs (sirups) were not pinpointed so far. It is the aim of this paper to close 
this gap. 

Sirups are datalog programs consisting of a single rule and a number of initializa- 
tions consisting of ground or nonground facts. A relational database is identified with a 
finite set of function-free ground atoms. 

Following Vardi [32], we distinguish between different kinds of complexity. The 
combined complexity of datalog is the complexity of determining whether for a given 

* This work was done while this author was on leave from the Institut fiir Informationssysteme, 
TU Wien, Austria. Gottlob’s work was supported by the Austrian Science Fund Project Z29- 
INF and by a McKay Lectureship of UC Berkeley. Current email; gottlob@dbai.tuwien.ac.at 
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datalog program P, database db, and fact /, / is derivable from db via P (denoted 
by db U P 1= /). The data complexity is the complexity of the same problem for a 
fixed program P. If, instead, the database db is fixed, then we speak about the program 
complexity. 

Results about datalog programs with an arbitrary number of rules are summarized 
in Table 1, whose last column specifies the expressive power w.r.t. ordered struc- 
tures. The results about general datalog programs are well-known and can be found 
in [8,32,20,15,16,21,10]. A datalog program P is linear if each rule body of P contains 
at most one occurrence of an intensional database (IDB) predicate. The results about the 
data complexity and expressive power of linear programs over ordered structures can 
be found in [15,16], while the result on the program and combined complexity of linear 
datalog programs (PSPACE completeness) is proven in the present paper (Theorems 5 
and 6). 





Data Complexity 


Progr. Complex. 


Combined Complex. 


Expr. Power 


General Programs 


PTIME-cmplt 


ETlME-cmplt 


EXPTlME-cmplt 


PTIME 


Linear Programs 


NLOGSPACE-cmplt] 


PSPACE-cmplt 


PSPACE-cmplt 


NLOGSPACE 



Table 1 : Complexity of Datalog Programs 



In this paper we are interested in sirups. It is well-known that even single clause 
sirups can express PTIME complete problems [29,22]; sirups are thus data-complete 
for PTIME. Several restricted classes of sirups that are highly parallelizable (i.e., in 
NC) were studied in e.g. [29,22,4]. 

It was also shown that several undecidability results for datalog or general logic 
programming carry over to sirups. Among these are results on the undecidability of 
datalog boundedness [2,19,26,25] and on the undecidability of the evaluation problem 
of logic programs in presence of function symbols [1,5,1 1,24,27,18]. 

The program and combined complexity, and the expressive power of sirups, how- 
ever, have remained unexplored until recently. 

In this paper we settle this problem by proving that the main complexity results for 
general logic programs also hold for very simple sirups. We also show that sirups have 
essentially the same expressive power as general logic programs. 

We consider the following classes of sirups: 

Absolute Sirups. These are datalog programs made of a single rule and no facts. 
Single Ground Fact Sirups (SGF Sirups). This class contains all datalog programs 
with one rule and at most one ground fact. 

General Sirups. This class contains all sirups, i.e., all datalog programs with one rule 
and some ground or nonground facts. 

For each of these classes we can further consider the corresponding subclass linear 
sirups. 

The main results of this paper are summarized in Table 2, whose last column speci- 
fies the expressive power of sirups over ordered, completed, and enriched structures, as 
explained later on. 
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Program Complexity 


Combined Complexity 


Expressive Power 


Absolute Simps 


NP-complete 


EXPTIME-complete 


C PTIME 


Linear Absolute Simps 


NP-complete 


PSPACE-complete 


C NLOGSPACE 


General Simps and SGF Simps 


ETIME-complete 


EXPTIME-complete 


PTIME 


Linear and Linear SGF Simps 


PSPACE-complete 


PSPACE-complete 


NLOGSPACE 



Table 2: Complexity of Sirups 



Our main complexity results for sirups are obtained by a product construction map- 
ping an arbitrary logic program P to a sirup XP such that P and XP have essentially 
the same semantics. 

Note that naively constructed products of programs fail to deliver a semantically 
equivalent program. For a simple example of this failure, assume that a database has a 
binary relation p, and the original datalog program is: 

r{X)^p(a,X). 

r(X)^p(b,X). 

Then, a naively constructed sirup constructed from this program would have both 
p{a, X) and p{b, X) in its rule’s body, and would thus fail to deliver the correct re- 
sult. In fact, the disjunction implicit in the original program would be transformed into 
a conjunction. 

We show that this problem can be circumvented by adding to the database a set 
BASIC of auxiliary relations: A relation and corresponding to the Boolean conjunc- 
tion, a relation equal for equality, and a relation select which “hardwires” a conditional 
statement. By use of the BASIC relations, disjunctions can be simulated correctly with 
single rule programs. Note that enriching a database by the corresponding BASIC rela- 
tions results in a polynomial increase of the database size only. 

By use of BASIC we are able to realize rather sophisticated programming constructs 
within a datalog rule body. In particular, we show how to implement a kind of CASE 
statement in a rule body which can perform different variable substitutions depending 
on corresponding conditions. 

Our main construction, the product sirup XF for a program P, uses such a CASE 
statement. In particular, each clause C of P is simulated by a particular case of the 
CASE statement. To be able to do this, we introduce the concept of a mould for a 
datalog rule. A mould is a generalization of the rule containing no constants and having 
no double occurrence of variables. For each clause C of P, XP contains as subclause 
a mould C for C. For each substitution t? satisfying C,XP “forces” C via appropriate 
instantiations to become equivalent to C, and makes all other (in this case irrelevant) 
atoms succeed. Thus, XP becomes — for the particular substitution — equivalent to 
C. In summary, XP is in essence equivalent to the original program P. 

All our complexity and expressiveness results follow rather straightforwardly from 
this construction and from the corresponding results for general datalog programs (see 
Table 1). 
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Note that a different product construction was given by Abiteboul [2] in order to 
show that the boundedness problem for datalog sirups is undecidable. That construction 
does preserve program boundedness, but not equivalence. Moreover, it uses additional 
nonrecursive rules. It is thus not suited for the purposes pursued here. Note also that 
the above cited undecidability proofs for the evaluation problem of sirups with function 
symbols cannot be exploited to solve the complexity of datalog. All those proofs rely 
heavily on the coding-power of functions, but datalog is function-free. 

As a corollary to the EXPTIME complexity of evaluating sirups, it follows that 
checking whether a datalog rule C logically implies a datalog rule D is EXPTIME- 
complete. (Here datalog rules are conceived as universally closed first order sentences.) 
Note that the implication problem for datalog rules is relevant in the context of induc- 
tive logic programming (cf. [23]). Its precise complexity was settled only for restricted 
versions. 

The paper is organized as follows. In Section 2, we define a number of relevant 
concepts and complexity classes. In Section 3, we describe the BASIC relations and 
show how the CASE construct can be implemented. In Section 4, we introduce the 
concept of a mould and show how moulds can interact with a CASE statement. The 
product construction is described in Section 5. Our main complexity results are then 
easily derived in Section 6. In Section 7, we argue that the expressive power of datalog 
sirups is essentially the same as the expressive power of general datalog programs. 



2 Preliminaries and Notation 

2.1 Relational Databases and Datalog 

A database db consists of a finite universe U and a finite set of relations of specified 
arity over U. An element of a relation is called a tuple. In this paper, w.l.o.g., every 
database universe U is identified with an initial segment [0, n — 1] of the natural num- 
bers. Moreover, we always assume that U has at least two elements, and thus the inte- 
gers 0 and 1 belong to U. When it is clear from the context, we may identify a database 
db with the set of all tuples contained in its relations. 

A datalog term is either a variable X or a constant c. An atom is a formula 
p{ti ,tn), where p is a predicate symbol of arity n and each t{ is a term. An atom 
is ground, if all ti are constants. 

A datalog clause (or rule) is an expression of the form Aoi-A \ , - . . , Am, where 
each At is an atom. The parts on the left and on the right of are the head and the 
body of the rule, respectively. A rule r of the form Ao*~, i.e., whose body is empty, is 
called a fact, and if Aq is a ground atom, then r is called a ground fact. 

A datalog clause C7 is a subclause (or subrule) of a datalog clause D if the heads of 
C and D coincide and if every body atom of C also occurs in the body of D. (Note that 
the order of occurrence is irrelevant.) 

A datalog program is a finite set of datalog clauses. A rule or a datalog program 
is ground, if all terms in it are ground. A datalog program is evaluated over relational 
databases. 
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The predicate symbols appearing in the head of a datalog program are referred to 
as the intensional database predicates (IDB predicates), while those occurring only in 
rule bodies are called extensional databases (EDB predicates). The IDB predicates can 
be further subdivided into output predicates (containing the output of the program) and 
auxiliary predicates (containing intermediate results). This division is, however, not of 
great importance for the present paper. 

For the definition of various classes of sirups, refer to the introduction. 

If /? is a syntactic object, e.g., an atom, a clause, or a program, then we denote by 
var{Q) the set of all variables occurring in Q. If V is a set of variables and A a set 
of constants, then a substitution •d : V — y is a mapping from V to A. If I? is a 

syntactic object and t? a substitution having domain V, then the substitution instance 
nd is obtained from Q by (simultaneously and uniformly) substituting ’d{X) for X for 
each variable X occurring in /?. 

The semantics of datalog is as follows. Let P be a datalog program and let 
db be a database over universe U. The program ground{P,U) is defined by 
\J(y^p ground{C,U), where ground ground{C,U) consists of the set of all substi- 
tution instances Cd of clause C, for all substitutions t? : var{P) — y U. Ground 
atoms can be identified with propositional atoms. A ground fact / is deducible from 
a database db with universe U via datalog program P, denoted by db U P / iff 
db U ground{P, U) /, i.e., if / is a logical consequence of the set of all database 
and ground program atoms. Two datalog rules are equivalent if for any database they 
derive the same facts. 

Note: We do not require that that the IDB relations be initially empty; rather, the IDB 
relations of a datalog program may occur in the database with some initial value. This 
setting, which is also adopted in [4], makes sense in the context of absolute sirups, for 
otherwise a recursive absolute sirup does not compute anything. However, this assump- 
tion is of relevance to absolute sirups only. All results of this paper on all other types of 
sirups remain valid if we adopt the more standard assumption that IDB relations do not 
occur in the database and are initially empty (see also the remark in Section 6.1). 

It is easy to see that for each database db, db U P ^ / iff there exists a proof tree 
for / based on P and db over universe U. The vertices of such a tree are IDB ground 
atoms g, the root being /. For each vertex there exists a clause C : head<-body in P 
and a ground substitution d such that headd = g and all EDB atoms in bodyd are in 
EDB and the IDB atoms in bodyd are the children of g in the proof tree. 

2.2 Relevant Complexity Classes 

The concepts of data complexity, combined complexity, and program complexity were 
already defined in the introduction. 

The complexity classes relevant to this paper are the well-known classes 
LOGSPACE, PTIME, NP, and PSPACE, as well as the following exponential classes: 

ETIME = Ud>o DTIME(2''") EXPTIME = Ud>o DTIME(2"‘' ) . 

It is well-known that ETIME is not closed under logspace reductions and that every 
problem complete for ETIME is also complete for EXPTIME. Moreover, EXPTIME 
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is the closure under LOGSPACE many-one reductions of ETIME. ETIME is thus not 
a robust complexity class. Nevertheless, stating that a problem is ETIME-complete is 
more informative than stating it is EXPTIME-complete. In fact, if a problem is ETIME- 
complete, then it is EXPTIME-complete and it is in ETIME. Note that ETIME is a 
proper subclass of EXPTIME and not all EXPTIME-complete problems are in ETIME. 

All reductions performed in the present paper are LOGSPACE many-one reduc- 
tions, and all completeness results are w.r.t. such reductions. 

2.3 Descriptive Complexity 

Descriptive complexity theory [17,12,21] deals with the expressive power of logical 
formalisms over finite structures and describes it in terms of complexity classes. 

A database property it is an isomorphism-invariant Boolean property of databases 
of a given schema. For example, graph three-colorability is a database property over 
databases with a single binary relation representing a graph. 

Let C be a complexity class. A database property it is C-decidable if the problem of 
deciding whether a given database satisfies it (written 7r(db)) is in C. 

A Boolean datalog query consists of a datalog program P and a ground fact /. For 
a database db, the query answer is yes if db U P ^ /, otherwise the answer is no. 

Let us refer to finite P -structures when we speak about the set of all finite structures 
that are restricted by some qualification P. For example the ordered structures are all 
those structures equipped with a linear order (successor relation) over the universe. In 
Section 7 we will define other relevant qualifications of structures. 

A class V of datalog programs captures the complexity class C over finite P- 
structures if for all such structures, the evaluation problem for Boolean P-queries is 
in C, and if every C-decidable database property over finite P-structures is expressible 
by a Boolean P-query. 

Well-known results about the expressive power of general and linear datalog pro- 
grams over ordered structures are given in Table 1 of the introduction. 

3 Useful Features of Single-Rule Programs 

In this section we discuss different useful features that can be achieved by datalog pro- 
grams that consist of a single clause, provided the database contains some basic facts. 
First, in Subsection 3.1, we define for each universe U a set BASIC{U) of basic aux- 
iliary facts. The following subsections describe more and more complex program con- 
structs we are able to build by use of the basic facts. The most important one is the 
CASE statement explained in Section 3.4. 

3.1 Basic Auxiliary Facts 

Let and{X, Y, Result) be a relation encoding the logical conjunction; 

and = {ond(0, 0, 0), and{0, 1,0), and(l,0,0), ond(l, 1, 1)}. 
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Moreover, for each finite universe U, define the relation instances equalu and selectu 
over the respective relation schemas equal{X, Y, R) and select{Cond, X, Y, Res) as 
follows: 

equalu = {equal{X,X, 1)|A- G C/} U {equal{X,Y,G)\X,Y e U A X i^Y), 

thus equal {X, Y, R) “assigns” 1 to the result i? if X and Y are bound to the same value 
and assigns zero to R otherwise. 

selectu = {select{Q,X,Y,X)\X,YeU} U {select{l,X,Y,Y)\X,Y G U), 

thus select{Cond, X, Y, Res) assigns X to Res if Cond is 0 and Y if Cond is 1. 

By BASICiJJ) we denote the union of all facts contained in the relations and, 
equalu and selectu', when U is understood, we refer to these facts simply as the BASIC 
facts. We always assume w.l.o.g. that an original database db does not contain any 
and, equal or select facts. We can then extend every database db over universe f/ to a 
database db"*" by adding the facts BASIC{U) to db. 

We will furthermore consider the following special relations succ {., .), min{.), and 
max{.): The relation succ is a successor relation for some linear order on U, and min 
and max are singleton relations that identify the first and the last element w.r.t. this 
order, respectively. We will denote by ORDER the facts corresponding to these three 
relations, and by db* the extension of any database db by such a successor ordering. 
In particular, db^ is the extension of db by both, successor ordering and BASIC facts. 

3.2 Vectorized Equality-Checks and Selections 

Here we show how to extend the primitive relations equal and select to arguments that 
are vectors (i.e., lists) of variables instead of single variables. This will not require to 
add any new facts to the database, but can be entirely done within the body of a rule. 

Let X = X\,X 2 ,.. . ,Xk and Y = Y\,Y 2 , . . . , Y* be k-sry lists of terms, Z = 
Zi,Z 2 ,... ,Zk a k-ary list of variables, and Cond and R single variables. We define 
the following abbreviations for conjunctions of literals in a rule body: 

EQUAL{X,Y,R) = equal{Xi,Yi, Ri)) A A 

^A2<»<fc— 2 -^+1 > A and{Ri^_^, Rk, R), 

where the variables Ri and f?'- 1 < i < fc, 2 < j < A: — 1 are fresh variables not used 
anywhere else. 

SELECT{Cand, X,Y,Z)= f\ select{Cand,Xi,Yi, Zi). 

l<i<k 

It is easy to see that the EQUAL and SELECT constructs fullfil their intended 
purposes. We omit a formal proof. 
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3.3 Negation and Disjunction 

From the basic relations and and equal, we can define negation and disjunction as 
abbreviations as follows. iVOT(X, y) = eguaZ(X, y, 0),and 
OR{X, Y, Z) = NOT(X, X') A NOT{y, Y') A and{X' , Y' , Z') A NOT{Z', Z), 
where the primed variables are fresh variables not occurring anywhere else. 

From the definition of equal and by De Morgans laws it follows immediately that 
over the restricted domain {0, 1} NOT and OR have their intended meaning when 
evaluated over any database db"^ . 

3.4 Simple Case Statements in Rule Bodies 

We now show how to simulate - within a clause body - simple CASE statements such 
as the following: 

CASE 

=T^ DO Y:=Z^ 

= T2 DO Y := Z2; 

X* =T* DO Y:= Z*; 

ENDCASE 

where for I <i < k,X* and T* are vectors of variables or constants of length rj, and 
Y is a block of variables of length s, disjoint from any other variable list occurring in 
the CASE statement, and each Z* (1 < t < k) is a block of s variables, respectively. 

The intended meaning of the CASE statement occurring within the body of a clause 
C is intuitively described as follows. Assume the CASE statement is evaluated over a 
database db"*" in a context where all variables, except those in Y, have already been 
unified with some constant values via a substitution d. It then should hold that: 

- If T? falsifies all conditions X* = T*, then C fails over db'*'. 

- If exactly one of the conditions X* = T’ is satisfied by d, then there is precisely 
one “legal” extension d' D d ofdto the variables in Y, and this extension is given 
by the assignment Y := Z*. 

- If more than one conditions are satisfied, then the meaning of the CASE statement 
is undefined (this case will never occur in the programs used below). 

The above CASE statement is a syntactic shorthand for the conjunction of the fol- 
lowing three conjunctions of atoms: 

1. Ai<i<* EQU AL{X' ,T* ,Ti) where each Tj, for 1 < i < fc is a fresh variable; 

2. The conjunction 

SELECT{Ti, Z\Z\Y^) A SELECT{T2, Y\Z^ ,Y^) A •••A 
SELECT{TuY'-\Z\Y') A ••• A ••■A 

5£;L£:CT(T*_i,Y*-2,Z*-\Y*-1) a SELECT{Tk, Y*‘-\Z^ ,Y) 
where the Y* are blocks of fresh variables for 1 < i < A: — 1; 
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3. OR{Ti,T 2 ,T^) a ORm,T 3 ,Tl) A- • -A OR{T;^_^,Tk, 1), where the Tj are fresh 
variables. 



We refer to the expansion of a CASE statement CASE as the conjunction of all 
literals occurring in the above described realization of CASE. The hidden variables 
hiddvar(CASE) of CASE are all the variables occurring in the expansion of CASE 
but not in the presentation of the statement itself. 

The correctness of the construction is formally stated by the following lemma. 

Lemma 1. Assume a simple CASE statement CASE as above appears in the body 
body{C) of some clause C. Let db be a database. Assume d is a substitution mapping 
each variable in , . . . , X* , , . . . , T*. and , . . . , Z* to some element of the 

universe U of dh. 

(i) If for each 1 <i <k, X*d ^ T*i9, then CAS Ed evaluates to false over db'*' and 
thus body{C)d evaluates to false over db'*'. 

(ii) If exactly one condition X*d = T*i? is true, then there is exactly one way to extend 
d to a substitution d' D d covering hiddvar{C ASE) and all variables in Y such 
that CAS Ed' evaluates to true over db"^. Moreover, this substitution d' is such 
that Yd' = Z'd. 

3.5 Extended Case Statements 

For the sake of a more comfortable reading of simple CASE statements, we adopt the 
following syntactic conventions and extensions of the CASE statement. 

Conjunctive conditions. Conditions of the form X^X^ • ■ • X*" = • T*", where 

1X*| = |T‘| for 1 < i < r, can be written in the more suggestive form X^ = A 
X2 = T2 A . . . A X’’ = T*-. 

Compound Assignments. An assignment of the form • • • Y*" := Z^Z^ ■ Z*" 

may be rewritten as a the compound assignment Y^ := Z^ ; Y^ := Z^; . . . ; Y*" := Z*". 

Inequality tests We may use inequalities in the conditions. For example, we may write 
a condition X ^ T*. This can be simulated as follows by an equality. Introduce a new 
variable W. Add the construct EQUAL(X., T*, W) to the body of the clause contain- 
ing the CASE statement, and replace the condition X ^ T* by VF = 0. 

4 Moulds 

A datalog rule C is a mould if it has no occurrences of constants and no double occur- 
rences of variables. If C and D are rules of the form: 

C-. 
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D : H' <- ,B'„ 

then C is a mould for D if C is a mould and there exists a substitution defined on 
var(C) such that Hd = H' and for each 1 < i < n. Bid = B'^. 

If C is a mould for D via substitution t?, we define two syntactic objects cond{C, D) 
and assgt(C, D) as follows. 

cond{C, D) : Let t? be the unique substitution that translates C “literalwise” into D as 
above. Then cond{C, D) is a conjunction containing, for each variable X occurring 
in the body of C, the equation X = a if = a for some constant a, and, if Xd 
is not a constant but coincides with the i?-image of some other (lexicographically 
smaller) body-variable of C, the equation X = V for the lexicographically smallest 
variable Y in the body of C such that Yd = Xd. 
assgt{C, D): assgt{C, D) is a list of assignments containing precisely the following 
assignments: 

- an assignment X := a for each head variable X of C, where Xd = a; 

- an assignment X := Y, for each head variable X of C, where i9(X) is a 
variable, and where Y is the lexicographically smallest variable in the body 
of C such that Xd = Yd. (Note: We assume w.l.o.g. that clause D is range- 
restricted, i.e., each head-variable of D also occurs in the body of D; thus, a 
variable Y as above always exists in C.) 

Example 1 . Consider the following two clauses: 

C: p(Xi,X2) ^p(X3,X4),g(X5,X6),r(X7,X8,X9). 

D : p(a,X) t-p(X,y),g(r,F),r(X,6,r). 

Here, C is a mould for D, and we have: 

cond(C, D) = X5 — X4 A Xg - X4 A X7 = X3 A Xg = 6 A X9 - X4 and 
assgt{C, D) = Xi := a; X2 := X3. 

Let us denote by Oc{C, D) the substitution {X/t | (X = t) G cond{C, D)} and by 
Oa{C, D) the substitution {X/t | (X := t) G assgt{C, D)}. 

Lemma 2 . If C = Head^Body is a mould for D, then the clause C = 
HeodOaiC, D)^Bodyoc{C, D) is equivalent to D. 

In Section 5 we will show how a datalog program P with several rules i?i , . . . , Hr 
can be simulated by a program XP containing a single rule R. The basic idea is to 
design R such that an appropriate subset of R will act as a mould for A CASE 
statement in the body of R will then distinguish between r different cases (correspond- 
ing to the T different rules of P). The i-th case will “force” R'i to become equivalent to 
Ri by suitable conditions and assignments. 

The following technical lemma will be useful to prove the correctness of this ap- 
proach. 
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Lemma 3. Let C head{C)^-body{C) be a mould for a clause D 
head{D)^body{D). Let Case denote a CASE statement whose i-th case is of the form: 

choice A cond{C,D) DO assgt(C,D), 

where choice is a conjunction of equations whose variables are disjoint from those in 
C. 

Consider a Datalog rule R of the form 

head{C)<-body{C) A Case A Rest, 

where Rest is a conjunction of literals that have no variables in common with C, such 
that var(choice) C var(Rest). Let db be a database over a universe U, and let A be 
a substitution A ; Var(Rest) — > U. If 

- choiceX evaluates to true, and 

- the conditions of all other cases of the CASE statement are inconsistent with A, and 

- RestX C db"*", 

then RX is equivalent to D overdAs^, i.e., ground{RX, U) andground{D, U) compute 
the same atoms over db'*'. 



5 The Product Construction 

In this section we present the product construction, which for each datalog program 
P defines an essentially equivalent single-rule program XP. Before describing this 
construction, we deal with two standardization features. 



5.1 Program Degrees 

The degree deg{P) of a datalog program P is the maximal number of occurrences 
of IDB predicates in a rule body of P. P is linear if deg{P) < 1. P is quadratic if 
deg{P) < 2. 

Recall that datalog programs have input, output and auxiliary predicates. Two dat- 
alog programs are equivalent if they have the same input and output predicates and 
compute the same result over each database. Equivalent programs may have differ- 
ent auxiliary predicates. Each datalog program can be transformed into an equivalent 
quadratic program as follows: Break rules with more than two IDB atoms in the body 
into several rules by using new auxiliary predicates. 

Lemma 4. Each datalog program P can be transformed into an equivalent quadratic 
program P'. The transformation is feasible in logspace. 
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5.2 Eliminating Multiple IDB Predicates 

To transform a program P with several IDB predicates into an essentially equivalent 
program P* with a unique IDB predicate, we proceed in two steps: 

1 . Pad all relations with a dummy constant 0 so that they are all of the same arity. 

2. Let Pi , . . . ,p/i be the different names of IDB predicate in P. Replace all instances 
Pi{V) with t{V, i), where i is the flog(/i)] + 1 long binary encoding of i. 

In summary, we obtain P* from P by replacing each IDB literal ,tk) 

with a suitable literal r{ti, , f*, 0““*, i), where a be the maximum arity of any IDB 
predicate in P. 

Note that the vector 0 of flog /i] + 1 zeroes does not encode any IDB predicate in 
P, but will be used as a dummy value in our subsequent product construction. 

Lemma 5. For any program P with maximum IDB arity a, for any database db, and 
for any k-tuple b of elements of the universe U of db, and predicate pi ofP, PUdb )= 
Pi{h)iffP*Udh |=r(b,0“-*,i). 



5.3 The Product Program 

Let F be a datalog program. Without loss of generality we assume that deg(P) < 2. 
Let Pi , Ph be the IDB predicates occurring in P. 

Transform F, as described above, into an equivalent program F* having a unique 
IDB predicate r. The r-atoms have thus the form r(A, B), where A and B are term 
vectors of dimension a and flog /i] + 1, respectively. 

The multiplicity mult{q) of an EDB predicate q occurring in F* is the maximal 
number of q-atoms occurring in a rule body of F* . 

We now proceed by describing various conjuncts of atoms which will serve as con- 
stituents of the sirup XP. 

Generic EDB Atoms of X P. For each EDB predicate q of arity a occuring in F* , define 
the set of generic q atoms Gen{q) = {jenifg)]! < i < mult{q)}, where gern{q) is 
the atom g(X?), where X? is a list of a fresh variables that are mutually distinct and 
distinct from all other variables occurring in XP. 

Let GEN denote the conjunction of all such generic atoms. 

Recursive Atoms ofXP. We define the conjunction of atoms REG as follows: 

- REG = r(V,J) if deg{P) < 2, and 

- REG = r(V,J) Ar(W,K) if deg{P) = 2. 

Here V, W are a-ary vectors of variables, where o is themaximum IDB arity, and J, K 
are f-ary vectors of variables (with i = flog ft] -I- 1), and all variables in V, W, J,K 
are mutually distinct and distinct from all previously defined variables. 
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The Head Atom. Let HEAD be the atom r(U, I), where U is an a-ary vector of 
variables, and I is an f-ary vector of variables, and all variables in U, I are mutually 
distinct and distinct from all previously defined variables. 

Moulds for Rules in P*. Consider the rule T ; HEAD<-REC A GEN.Notelhat P 
contains as subrule a mould for each rule D of P* (even several such moulds may be 
possible). Choose one such mould for each clause D of P* and denote it by D. 

The Choice Construct. Let a be the number of rules in P*. The program XP needs 
to choose (via unification) one rule of P at a time. This is realized by a conjunction of 
atoms CHOICEiC), where C = C 1 C 2 • • • Cp is a vector of p = flog s] variables. In 
particular, if the variable C in CHOICE(C) are instantiated by a vector T of Boolean 
values, then T identifies (at most) one rule of P*. CHOICE(C) is realized as follows: 

CHOICE{C) = and(Ci,Ri,Si) A and{C 2 ,R 2 ,S 2 ) A ••• Aand{Cp,Rp,Sp), 

where the C, R, and S variables are all mutually distinct fresh variables (not occurring 
in P*). The role of CHOICE is simply to determine a particular rule, say, rule number i, 
by binding the vector of variables Ci ...Cp to the corresponding binary representation 
i of i. (The fact that this is realized via and atoms should not confuse the reader; we 
could have used select atoms instead; the R and S variables are just fillers that will not 
be used outside the CHOICE construct.) 

Main rule ofXP. The program XP consists of a single rule of the form 
HEAD REC A GEN A CHOICE{C) A CASE 
where CASE denotes the following statement: 

CASE 

C = 1 Acond{Di,Di) DO assgt(Di, Di); 

C = i A cond{Di, Di) DO aaagt{Di, Di)\ (1 < i < r) 



C = r A cond{Dr,Dr) DO assgt{Dr, Dr)] 

ENDCASE 

where Di, . . . ,Dr are the clauses of P*. Intuitively, the role of the i-th line of the 
CASE statement is to emulate the i-th rule in the program P*. 

This completes the description of XP. Obviously XP can be constructed from P 
inLOGSPACE. 

For a program XP, we denote by r(0) the fact r(0, 0, . . . ,0). 

Theorem 1. Let db be a database over universe U, whose relations are all nonempty. 
Let P be a datalog program over db whose IDS predicates are of maximal arity a. Let 
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Pj be the j-th IDB predicate symbol in P, and let c be its arity. Let i be a vector in 
We then have: 

dbUP|=Pj(t) iff db+U{r(0)}UA■p|=r(t,0“-^j). 

Proof. By Lemma 5 it suffices to show that 

db U P* 1= r(t, 0“-', j) iff db+ U {r(0)} U XP |= r(t, 0“"", j). 

We use induction on the minimal derivation depth 6 of the ground fact r(t, 0““*^, j) 
w.r.t. program P*, i.e., the depth of a minimal derivation tree. For = 0, the claim 
holds because we can infer only db facts via P* and only db"*" facts and r(0) via XP 
in zero steps. None of these facts fit the pattern r(t, i) where i / 0. 

Assume the claim holds for derivation depth m. We show it for <5 = m + 1. 

Define the following EDBs; 

dbm is the database consisting of all facts derivable from db via P* having derivation 
depth < m 

db^ is the database consisting of all facts derivable from db'*' U{r(0)}viaXP having 
derivation depth < m. 

By the induction hypothesis we have db^ = db^ U {r(0)>. 

/if Assume dbU {r(0)} UXP 1= r(t,0“ ®,j), where the ground fact r(t,0“ ‘'J) 
has derivation depth <5 = m + 1. Consider the last derivation step. In this step the 
body of rule XP succeeds over db^. CHOICE{C) in XP must succeed and thus 
C is instantiated to a Boolean vector j corresponding to some integer i. Since also 
the CASE construct suceeds, this means that i > 0 and that the instantiation of C 
is consistent with precisely the precondition of the i-th case in the CASE statement. 
By Lemma 3 it then follows that r(t, j) can be derived in one step by some rule 
D of P* from the database db^. Since rule D of P* cannot use fact r(0) nor the 
BASIC facts, r(t,0“"‘^,j) can be derived in one step by rule D of P* from db„. 
Hence db U P* |= r(t, 0““*^, j). 

Only if. Assume that db U P* ^ r(t, j) and that this fact has derivation depth 

5 by P*. Let D be the rule of P* deriving this fact in one step from dbm and assume 
D is the i-th rule of P*. Let 7 be the ground substitution for the variables of D in the 
last step of the derivation of r(t, j). 

Let D C XP be the mould for D according to the construction of XP as de- 
scribed above, and let d be the substitution translating D into D. Let Rest denote all 
atoms in the body of XP which are neither in D nor in CASE. Consider the following 
substitution A ; var{Rest) — > U : 

- A(C) := i; the other variables of CHOICE are defined accordingly. 

- Let GEN' denote the atoms of GEN which do not occur in D. Let o be any 
substitution such that GEN'o C db. Note that such a substitution exists because 
no EDB relation is empty. For each X G var{GEN') define A(X) := <r(X). (All 
atoms in GEN' are irrelevant, they are satisfied via arbitrary ground substitutions 
in order to make the body of XP succeed.) 
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- For any r-atom R in Rest, extend A to var{R) in such a way that RX = r(0). (Note 
that there may be up to deg{P) such r-atoms; these are the irrelevant r-atoms of 
case t; they are mapped into the dummy fact r(0) in order to succeed.) 

It is clear that RestX C U {r(0)}, and thus RestX C db^, The other two 
conditions of Lemma 3 also apply. By Lemma 3, we thus conclude that XPX is equiv- 
alent over db^ to D. Hence XP\d, whose body is satisfied in db^, fires on that 
database and allows us to derive r(t,0“~‘^,j) in one step from it. It thus holds that 
dbU{r(0)}UXP|=r(t,0“-',i). I 



6 Main Complexity Results 

6.1 Combined Complexity of Datalog Sirups 

The following theorem determines the combined complexity of absolute sirups. 

Theorem 2 (Combined Complexity of Absolute Sirups). Given an absolute sirup P, 
a database db, and a ground fact f, determining whether P U db ^ / is EXPTIME 
complete. This remains true even ifP is quadratic and db contains no EDB predicates, 
and the universe of dh has cardinality 2. 

Proof. It is well-known (implicit in [8,32], see also [10]) that the combined complex- 
ity of (general) Datalog is EXPTIME complete. For a simple proof cf. [10], where 
the EXPTIME result is shown for instances {dh', P',f), where db' contains no 
EDB predicates, and the universe of db is the set {0, 1}. It is thus sufficient to show 
that the problem remains EXPTIME hard for absolute sirups. By our product con- 
struction we transform each instance (db', P', f) as above to an equivalent instance 
(db' U BASIC U r(0),XP, /) of the derivation problem for absolute sirups. The 
equivalence is guaranteed by Theorem 1 . Note that XP is quadratic. I 

As an immediate consequence of Theorem 2, we get: 

Corollary 1. Any class of datalog sirups containing the absolute sirups has EXPTIME- 
complete combined complexity. 

Theorem 2 can be reinterpreted as a complexity result on the datalog clause impli- 
cation problem, where datalog clauses are conceived as universally closed formulas. 

Corollary 2 (Complexity of the Implication Problem for Datalog Clauses). 

Determining whether a datalog rule C logically implies a datalog rule D is EXP- 
TIME complete. 

Proof. It is well-known [14] that the problem of deciding whether C implies D is 
equivalent to the problem of deciding 



( {Ai?| A is an atom in body{D)} U C ) (= head{D)d, 
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where t? is an arbitrary ground substitution replacing every variable of D with a dis- 
tinct fresh constant. Thus the datalog clause implication problem is in EXPTIME. Con- 
versely, the problem of checking whether for a database db, a sirup P and a ground 
fact / it holds that db U P ^ / is equivalent to deciding whether the datalog clause 
P logically implies the ground rule D whose head is / and whose body consists of the 
conjunction of all atoms in db. Thus the datalog clause implication problem is EXP- 
TIME hard. | 

Remark. Theorem 2 is formulated in the liberal setting, where an IDB relation may 
have a nonempty initial value in the given database db. In fact, in our proof we assume 
that the IDB relation r initially contains the tuple r(0). In a more restricted setting, 
where this is forbidden. Theorem 2 does not hold. In such a restricted setting, absolute 
sirups are equivalent to conjunctive queries which are NP-complete both w.r.t. program 
and to combined complexity [9]. However, in the restricted setting, an analogous state- 
ment to Theorem 2 holds for single ground fact sirups (just add r(0) as ground fact to 
the program). 



6.2 Program Complexity of Datalog Sirups 

General datalog programs are known to be program complete in EXPTIME (implicit 
in [8,32], cf. [10] for a simple proof) and are actually in ETIME and thus complete 
for ETIME. In fact, the fixed size of the universe ensures that the ground version of a 
program has only linear exponential size in the original program, and thus the entire 
evaluation problem can be solved in linear exponential time. 

What about the program complexity for absolute sirups? The classical definition of 
program complexity [32] asks for the evaluation of (variable) datalog programs over a 
fixed database. While general datalog programs are program-complete in ETIME, this 
is not the case for absolute sirups. 

Theorem 3 (Program Complexity of Absolute Sirups). Evaluating absolute sirups 
over fixed databases is NP complete. 

Proof. Membership. Note that a recursive absolute sirup has no rule for initializing 
its head relation r and fails if this relation is initially empty. Thus the fixed database db 
must contain some initial value. This means that the arity of r is fixed. It follows that for 
a fixed database universe the set of all possible ground instances of r is predetermined 
and of constant size k. It follows that every derivable goal / has a proof tree of depth 
at most k, and thus of polynomial size. Guessing and verifying such a proof tree for a 
given goal is clearly in NP. 

Hardness. For hardness it suffices to consider nonrecursive absolute sirups. The evalua- 
tion problem for such sirups is clearly equivalent to the problem of evaluating conjunc- 
tive queries, which is NP complete even in case of a fixed database [9]. | 

This pathology disappears if we move from absolute sirups to the (syntactically) 
slightly more general class of single ground fact sirups (SGF Sirups). 
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Theorem 4 (Program Complexity of SGF and General Sirups). 

SGF sirups are program-complete in ETIME. The same holds for all classes of 
sirups containing the SGF sirups. 

Proof. The ETIME upper bound is inherited from the class of general datalog pro- 
grams for which this bound holds. To see hardness, recall from the proof of Theorem 2 
that EXPTIME hardness for absolute sirups P holds even in case the universe is fixed 
and the database contains only the BASIC facts and r(0). Note that BASIC is fixed for 
the fixed universe U. The only nonfixed fact in the database is r(0). For obtaining a 
fixed database, it is thus sufficient to eliminate r(0) from the database and add it to the 
absolute sirup. This yields an SGF sirup. | 

Note. If we slightly modify the classical definition of program complexity by requiring 
only a fixed database universe instead of a fixed database, then even the evaluation 
problem for absolute sirups is program complete in ETIME. 



6.3 Linear Sirups 

The combined complexity of linear sirups is in PSPACE. This is actually true for all 
linear datalog programs, and not just for linear sirups. 

Theorem 5. Given a linear datalog program P, a database db and a ground fact f, it 
can be tested in PSPACE whether P U db |= /. 

Proof, As said in Section 2.1, derivations of facts by datalog programs can be rep- 
resented by proof trees. In general, such proof trees are truly branching. For linear 
programs, however, they correspond to chains (if we do not explicitly represent EDB 
atoms). Each element of such a chain corresponds to a fact derived (via an appropriate 
rule and instantiation) from its predecessor, i.e., its child. The top element of the chain 
is /. Clearly, each chain element fits into polynomial space. We can thus generate the 
chain elements nondeterministically one by one, bottom to top in PSPACE by reusing 
space. At each step we generate a new chain element and check whether there exists a 
rule in P and some ground facts in EDB such that the new chain element is generated 
from the previous one in one inference step. This requires us to keep only two chain 
elements in memory at a time. The procedure stops if / is obtained. The procedure is 
in NPSPACE and thus in PSPACE. | 

The PSPACE hardness of the evaluation problem for linear general programs can 
be proven via a particularly simple Turing machine simulation. 

Theorem 6. Given a linear datalog program P, a database db and a ground fact f, 
deciding whether P U db [= / is PSPACE complete. This remains true if both the 
universe ofdh is fixed to be {0, 1} and t/db does not contain any EDB relations. 

Proof. Membership in PSPACE was already shown in Theorem 5 . We show hardness. 
We use a reduction from the following well-known PSPACE-complete problem: Given 
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an integer k as unary string and the description of a deterministic Turing machine T, 
decide whether T accepts the empty input string in space k, i.e., without ever leaving 
the first k tape cells. Without loss of generality, we may assume that T accepts iff it halts 
in a special state a with a completely blank tape and having the cursor in the leftmost 
position. 

Assume the machine has a tape alphabet of a letters and a state set of s states. We 
encode letters and states by binary strings of length [log a] and [log s] , respectively. 
We denote the code of an object o by [o] . 

A configuration S of the machine is represented by a datalog atom of the form 

conf {state, celli,curi,cell 2 ,cur 2 , ■ ■ ■ , cell k, cur k), 

where state is a Boolean vector of length s encoding the state of £, the celh items are 
a-ary Boolean vectors encoding the cell-contents of cell i, respectively, and curt is 1 if 
the cursor is at cell i and 0 otherwise. 

We now describe a datalog program P simulating the evolution of T when started 
with a blank worktape (i.e., with empty input). The unique predicate of program P is 
the IDB predicate conf. 

P consists of an initialization rule and a number of transition rules. The initialization 
rule is: 

conf{\init] , [b] , 1, [bj , 0 , [bj , 0 . . . , [b] , 0), 

where init denotes the initial state and b the blank symbol. 

For each transition r and each cursor position from which r is possible, P contains 
a corresponding rule. For example, the transition if symbol read is a and state is q, then 
write b, move right, and enter state q' is represented by a datalog rule of the following 
form for 1 < i < A: — 1: 



con/([g'l,Xx,0,...,Xi_i,0, [61,0, Xj+i, l,Xj+2,0, . . . ,x*,0)^ 

coT»/([gl,Xi,0,... ,X<_i,0, [a],l,Xi+i,0,Xi+2,0,... ,Xft,0). 

It is clear that T halts in the accepting state iff from the datalog program P operating 
over the empty database, the following fact can be derived: 

con/([a] , [bl , 1, [b] , 0, [b] , 0 . . . , [b] , 0). 



I 



Theorem 7 (Combined Complexity of Absolute Linear Sirups). Given an absolute 
linear sirup P, a database db, and a ground fact f, determining whether P U db ^ / 
is PSPACE complete. This remains true even if db has no EDB predicates, and the 
universe ofdb has cardiruility 2. 

Proof. Membership follows from Theorem 5. To see PSPACE hardness, form the 
product of general linear programs as in Theorem 6. The resulting absolute sirup is 
linear. The theorem follows. | 

The following theorems state some additional complexity results that can be proven 
in a completely analogous way as the corresponding results for nonlinear sirups. The 
proofs are thus omitted. 
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Theorem 8 (Program Complexity of Absolute Linear Sirups). Absolute linear 
sirups are program-complete in NP. 

Theorem 9 (Program Complexity of Linear SGF Sirups). Linear SGF sirups are 
program-complete in PSPACE. The same holds for all classes of linear sirups contain- 
ing the linear SGF sirups. 

7 Descriptive Complexity of Sirups 

It is well-known that semipositive Datalog, i.e., datalog, where negation may be applied 
to EDB relations only, captures PTIME on ordered structures. In this section we show 
that similar results hold even for very restricted versions of sirups. We limit ourselves to 
the feature of expressing Boolean database properties. Thus, when speaking about cap- 
turing, we mean the capability of expressing Boolean database properties in a certain 
class via the evaluation problem for a particular class of sirups. 

The main message of this section is that in essence even very restricted classes of 
sirups such as SGF sirups have the same expressive power as full datalog. “In essence” 
means that we have to move to a slightly different representation of relational data for 
achieving our goals, and that we have to assume that the database contains the BASIC 
facts as predefined facts. 

Let us start by considering absolute sirups. Clearly, absolute sirups do not capture 
PTIME on ordered structures, even if negation of EDB facts is allowed in the rule body 
and even on databases where the BASIC relations are available as predefined relations. 
There are two main reasons for this: 

1 . The database must contain at least one ground fact for the recursive IDB predicate, 
otherwise the recursive rule fails. A database is not guaranteed to contain such a 
fact, and even if so, this fact is not guaranteed to be the right one (e.g. fact r(0), c.f. 
Section 6). 

2. If the absolute sirup contains, say, an atom q{X) in its rule body for some EDB 
predicate q, then, if the relation q is empty, the rule will fail regardless of the value 
of other predicates. Similarly, if the rule contains in its body a literal -<q(X), and if 
q happens to be the total relation, then the rule will fail. 

The first of the above inconveniences does not subsist for SGF sirups, where we can 
explicitly add the required IDB ground fact. The second problem, however, applies also 
to SGF sirups. To circumwent it, we switch to another data representation format. 

In a completed database (finite structure), each non-predefined EDB predicate p has, 
in addition to its regular arguments an additional Boolean argument that states whether 
the intended fact is or is not in the database. In a completed database a k-ary relation p 
over a universe U is represented by the following completion p: 

P= |p(fi,... ,tk) €p}U 

{p{ti,... ,f*,0) jti,... ,tkeU A pih,... ,tk) ^p}. 

It is obvious that, over a fixed schema, each database can be translated into its comple- 
tion in logspace, and vice-versa. 
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We call a structure enriched, if it contains the BASIC predicates as predefined pred- 
icates. 

Theorem 10 (Expressive Power of SGF Sirups). Over completed, ordered, and en- 
riched databases, SGF sirups, and, in particular, quadratic SGF sirups capture PTIME, 
and linear SGF sirups capture NLOGSPACE. 

Proof. First observe that datalog (without negation of EDB predicates) captures 
PTIME over ordered completed structures: Negated EDB literals can be replaced by 
appropriately tagged positive atoms. Thus, for any given schema, any PTIME database 
property n can be represented by an appropriate program P,r and a ground fact pj{t) 
such that for every completed, ordered, and enriched database db, db U Pr N PjW 
iff 7r(db) holds. Now consider the SGF sirup = XP„ U {f(0)}. By Theorem 1 it 

follows that 7r(db) holds iff db U PJ. |= r(f, j), where a is the maximal arity of 
IDB predicates in P„. Note that P^ is a quadratic SGF sirup. 

The result for linear SGF sirups can be obtained in a similar way from the result that 
linear datalog programs capture NLCXjSPACE [16], and from the fact that the product 
XP of a linear program is itself linear. | 

From the above result we can obtain various extremely restricted versions of semi- 
positive datalog that capture PTEME or NLOGSPACE on (regular) ordered structures 
with equality. In fact, restricted versions of semipositive datalog in which BASIC and 
the completion relations can be defined by subprograms are good candidates for such 
expressiveness results. As an example, consider the class SIMPLE defined as follows. 
The programs in SIMPLE contain a single recursive rule whose body has no occur- 
rence of the negation sign, plus nonrecursive initialization rules whose right-hand side 
is either empty or contains a negated or unnegated EDB or equality atom. The class 
LINSIMPLE, in addition, restricts the recursive rule to be linear. 

Theorem 11. Over ordered structures with equality SIMPLE captures PTIME and 
UNSIMPLE captures NLOGSPACE. 

Proof. It is sufficient to show that the BASIC facts and an IDB predicate correspond- 
ing to p for each EDB predicate p can be defined by initialization rules. This is done as 
follows: 

and(0, 0, 0) t- 
and(0, 1,0) +- 
ond(l,0, 0) +- 
and(l, 1, 1) t- 
select{Q,X,Y,X) ^ 
select{\, X, Y, Y) t- 
equal(X,X, 1) f- 
equal(X,Y,0) +- -(X = F) 

p(t, 1) t- p(t) for each EDB predicate p 

p(t, 0) t- -'p(t) for each EDB predicate p 



I 
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Abstract. We present a denotational semantics for concurrent con- 
straint programming bcksed on derivations containing sequences of in- 
teractions of a process with the environment. Our semantic is then used 
as collecting semantics for abstracting properties of computations by ap- 
plying techniques of abstract interpretation. 



1 Introduction 

The concurrent constraint programming (ccp) paradigm [7] combines elegantly 
logical concepts and concurrency mechanisms. It is based on the notion of com- 
puting with systems of partial information and its computational model relays 
on the concept of constraint system, consisting of a set of constraints ordered 
with respect to logical implication. The store is seen as a constraint on the 
range of values that variables can assume, i.e. it is seen as a set of veJuations, 
and constraints are finite representations of these sets. 

Ail processes intercict through a common store, which represents the con- 
straint established until that moment of the computation. Communication is 
achieved by telling (adding) a given constraint to the store, amd by asking (check- 
ing whether the store entails) a given constraint. Synchronization is based on the 
mechanism of blocking ask, i.e. a process waits until the store is strong enough to 
entail a given constraiint. The execution of an ask depends monotonically upon 
the store, which in turn is monotonically increased by the tell operation. This 
means that the store evolves monotonically from the initied store true (mean- 
ing no restriction on the values of variables) emd gets more refined while the 
computation proceeds. 

Like for most of concurrent languages, the presence of guarded nondeter- 
minism causes the denotational semantics of ccp to be rather complicated, and 
therefore programs are difficult to amalyze and to reason about. We address the 
problem of defining a compositional semamtics for ccp, auid introduce a seman- 
tics expressed in term of derivations. The basic idea in our approatch is the goal 
independent program denotation, which we specify by a bottom-up construction 
as the least fixpoint of a suitable operator. 

The idea of defining compositionad semamtics for ccp has been extensively 
investigated (see [3, 6]). The different semamtics presented aure defined at different 
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levels of abstraction, according with the specific problem to solve and are more 
or less concrete. The goal of our work is to define a semantics which should be 
the most concrete one, with the scope of using it as collecting semantics for an 
abstract interpretation framework in which we can characterize properties of ccp 
computations by means of suitable abstractions. 

We define a denotational semantics on domains consisting of sets of deriva- 
tions, which deals with low-level operational details. Moreover, the typical com- 
positional style of denotational semantics allows us to identify a small set of 
primitive semantic operators, which are the semantic counterparts of the lan- 
guage syntactic operators. This derivations semantics is the most natural choice 
for a collecting semantics eind is essentially a traces semantics containing all the 
relevant information of ccp-computations. 

2 Abstract Interpretation 

Abstract Interpretation [1,2] is a theory to reason about the abstraction relation 
between two different semantics, the concrete and the abstract semantics. The 
main idea is to relate both semantics by a pair of functions, the abstraction a 
and the concretization 7, which form a Galois connection. 

Defiiiition 1. Let (C, C) and (A, <) be two posets (the concrete and the abstract 
domain). A Galois Connection (a, 7) : (C7, C) ^ (^, <) »■» a po»r of maps a : 
C A and A -¥ C such that 

1. a and 7 ore monotonic, 

2. for each x £ C, x C (7 o a)(x) and 

3. for each y £ A, (a o j)(y) < y. 

Moreover, a Galois insertion (of A in C) (0,7) ; (C, C) is o Galois 

connection where a o 7 = Id a ■ 

Given a concrete semantics and a Galois insertion between the concrete 
and the abstract domain, we want to define an abstract sem^mtics. The the- 
ory requires the concrete semantics to be the least fixpoint of a semantic func- 
tion F : C C. The abstract semantics function F : A A is correct if 
VxeG.FCx) C7(F(a(x))j. 

F in turn is often defined as composition of ’’primitive” operators. Let / : 
C"* G be one such an operator and assume / is its abstract counterpart. 
Then / is locally correct w.r.t. / if Vxi, • • • , x„ £ C we have / (xi , • ■ • , x„) C 
7(/(q(xi),-- , a(x„)) j . The local correctness of all the primitive operators 
implies the global correctness. Hence, we cam define am abstract semantics by 
defining locadly correct abstract primitive operators. An abstract computation is 
then related to the concrete computation by replacing the concrete operators by 
the corresponding abstract operators. According to the theory, for each operator 
/, there exists am optimal (most precise) locally correct abstract operator / 
defined as / (pi , • • ■ , J/n) = a (/ (7(^1), • • • , 7(yn))) ■ 
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3 Concurrent Constraint Programming 

3.1 Cylindric Constraint Systems 

A constraint system can be any system of psirtial information that supports the 
notion of consistency and entailment. Here we consider an abstract definition of 
such systems as lattices, following [7] 

Definition 2. A cylindric constraint system is a structure 

C = {C, <, U, true, false, Var, 3,6) 



such that 

i- (C,<,li,true, false) is a lattice, where U is the lub operation (representing 
the logical and), and true, false are the least and the greatest elements of 
C, respectively/^ . The elements of C are called constraints. 

2. Var is a denumerable set of variables , and for each x & Var the function 
3x '■ C C is a cylindrification operator [5], i.e. it satisfies the following 
properties: 

(a) 3*c < c, 

(b) if c<d then 3xC < 3xd, 

(c) 3x(cU3xd) = 3xCU3xd, 

(d) 3*3yC = 3y3xC. 

3. For each x,y £ Var, Sxy € C is a diagonal element [5], i.e. it satisfies the 
following properties: 

(a) 6xx = true, 

(b) if z is different from x,y then Sxy = ^zi^xz U«5zy), 

(c) if X is different from y then c < (i^y LI 3x(cU (Jiy). 

The cylindrification operators model a sort of existential quamtification and 
are used for defining a hiding operator in the language. The diagonal elements 
are useful to model parameter passing. K C contains an equaility theory, then 
the elements Sxy can be thought of as the formulas x = y. 



3.2 The Cep Language 

We present a language containing the basic features of concurrent contraint 
programming, we define its syntax and its standaird computational model, which 
are parametric with respect to an underlying cylindric constraint system. 

Queries, programs and agents (processes) are described by the following 
grammar 

^ The entailment relation h, which is commonly used in the literature, is the reverse 
of <. Formally: for c, d € C, c h d iff d < c. 
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QUERY ::= AGENT in PROG 
PROG ::= 0 | {CLAUSE} U PROG 
CLAUSE ::= ATOM -.-AGENT 
AGENT ::= Stop | ATOM | ^^^AGENT \ 

tell(c) ^ AGENT \ ask(c) ^ AGENT \ 

AGENT + AGENT \ AGENT || AGENT 
where c is a constraint 2 ind ATOM stands for the usual notion of atomic goal. 
In the following we denote by Goals the set of all agents. 

The agent Stop represents termination. The ask an tell operations are the 
communication primitives cmd work on a common store which rcmges over C. If 
d is the current store, then the execution of tell(c) A adds c to the store, that 
is, it sets the store to be cUd, and then behaves like A. The ask(c) operation is a 
guard and its execution does not modify the store: it just tests the current store 
for entailment of the constraint c. We say that ask(c) is enabled in d if c < d. 
The operations tell(c) and ask(c) fail when c is inconsistent with the store. The 
operators || and + are the parallel composition cuid the nondeterministic choice, 
respectively. We use 3* to indicate a hiding operator . The intended meaning 
of 3xA is that of an process which behaves like A, but where x is considered 
local or private in A. Finally, the agent p(t) is a procedure CEill, where p is the 
name of the procedure and t is the actual parameters list. The meaning of p(t) 
is given with respect to a set of procedure declarations P (program) of the form 
p(x) : —A, where x is the formal parameters list. An instantiation of p(x) : -A 
is an object of the form p(t) : -A' , where A! is obtained by replacing every 
formal parzimeter by its corresponding actual parameter, and by renaming all 
the other variables to avoid clashes with t. Given a Prograim P we denote by 
Inst(P) the set of all instantiations of the clauses in P. 



3.3 The Operational Model 

The informal computationad model of ccp introduced above can be defined in 
terms of an operational model based on interactions between a process and the 
environment, first presented in [3], and similar to that presented in [6]. These in- 
teractions are constraints labeled by a (assume) or t (tell). An assume constraint 
represents an action performed by the environment, while a tell constreiint rep- 
resents an action performed by the process itself. We will use £ to range over 
{a,t} . The interactions encode £ilso the hiding of loced variables, by means of 
existential quantifiers, allowing to model composition^llly the hiding operator. 

A sequence of interactions has the form Cj* • • • c(," , where each c< can be of the 
form 3i.c, and is interpreted as a conjunction, where the scope of an existential 
quantifier is the whole subsequence that follows. Formally 

- EStore{e) = true 

- EStore ^(3a,.c)*.sj = 3x{c\J EStore{s)) 

For technical convenience we introduce the following notations. Given an 
object X (a constraint, Em agent or a derivation) we will denote by 




Abstracting Properties in Concurrent Constraint Programming 227 



- vars{X) the set of variables of X. 

- FV{X) the set of free variables of X. 

- BV (X) the set of bounded (by the hiding operator) variables of X. 

- BV^{X), I £ C the set of bounded variables of X occurring in constraints 
labeled by I . Note that the local variables introduced by the process are 
given by BV*' and those introduced by the environment me given by BV^. 

- FV\X), I e C the set of free variables of X occurring in constraiints labeled 
by 1. 



We describe the operational model of ccp in terms of a labelled transition 
system Tp = {Conf, — >^) which is specified with respect to a given program P. 
The configurations in Conf are pairs consisting of a goal or a termination mode 
[3] and a constraint, representing the global store. The termination modes t me 
the symbols ss, ff and dd, denoting success, failure and deadlock respectively. 
The labels of the transition relation me interactions between the process and 
the environment. 

Table 1 describe the rules of Tp. We assume that vmiables existentially quan- 
tified occurring inside a tell or ask have different names from all the others 
occurring in the process or introduced during the computation. We assume also 
a renaming mechanism that takes cme of using fresh vmiables each time a clause 
is used. 

Note that Rule RI 4 models the interaction with the environment. The com- 
putation of a process is not immediately affected by actions made by the envi- 
ronment, only its future behavior will depend on them. The environment can 
then produce an mbitrmy constraint without changing the state of the process. 
Therefore, a process can make an mbitrmy assumption about the store, where 
assumptions involving loc^d vmiables of the process me not allowed, because 
these vmiables me hidden from the environment. Formeilly this means that the 
free vmiables of an assumption may not occur in the scope of the bound vmiables 
introduced by the process, i.e. FV(c) n BV*{d) = 0, where c is the assumption 
and d represents the current store. The restrictions BV{c) D vars{A) = 0 and 
BV{c) n vars{d) = 0 ensure the absence of vmiable clashes between the local 
vmiables of the environment and the vmiables of the process. 

Definition 3. A derivation of the query G in P consists of a sequence 



{Go, true) ^ {Gi, Cl) ^ 

Ai A2 




On + l 
j4n + l 



where Ai, A 2 , . . . ,^4„, . . . ore the selected agents of each transition and s = 
aia 2 ...a„... is a sequence of interactions with the environment (called re- 
active sequence j, such that Go = G and (Gi_i,Ci_i) {Gj,Cj), for i>l (by 
means of the transition system Tp), where the selected agent o/Gi_i is A< and 
Ci = d-i U Oi . 



In the following (G,true) (G„,d) {n > 0), where G„ is a goEil 

A\ A-n 

or a termination mode in {ss, dd, ff }, denotes a (pmtial and finite) derivation of 
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R1 


(Stop, d) (ss, d) 




R2 


(ask(e),d) (ss, d) 


if e < d 


RS 


(ask(e),d) (dd,d) 


if e ^ d and ^ e U d 


R4 


(ask(e),d) (ff,d) 


if e U d 


R5 


(tell(e), d) (ss, d U c) 


1= dU e. 






d U e =c dUe, 






BV(e) fl vars{d) = 0 


R6 


(tell(e),d)‘^* (fF,d) 


if e U d 


R7 


(G,d) A (ss,d') 1 (a.d) 


a6{ff,dd} 




(G -y A,d) ^ (A,d') 1 (a,d) 




R8 


(A{Vx},d) A(B,dUe) 

a t 


y n vars{A) = 0, 




(3xA,d) ^ (B,dU3,e) 




R9 


(p(t),d) ‘A (A',d) 


p(t)- : A' 6 /T»st(P) 


RIO 


(A, d) (A', d U e) | (ss, d U e) 


— B V(e) n uars(B) = 0 



Rll 



R12 



{A B, due) I (B, due) 

{B II A,d)-^{B IM'.dUe) I (B,dUe) 
(A,d) (ff,d) 

{A II B,d) (ff.d) 

'9 II ^,d)|^‘ (ff,d) 

{A,d) (A', due) I (8s,dUc) 

* ^ 



R13 



RI4 



(A + B,d) (>l',dUe) I (ss.dUe) 
{B + A, d) {A' , d U e) I (ss, d U e) 

(A,d)‘^* (dd,d), (B,d)*^ {a,d) 
{A ||B,d)‘^‘ (a.d) 

(B II A,d) (a,d) 

<^ + B,d) (dd,d) 

<B + A,d) (dd,d) 

{A, d) I (ss, d) (A, d U e) I (ss, d U e) 



a e {ff , dd} 



1= dUe, 

FV(e)nBF‘(d) = 0, 
BV(e) n t;ars(A) = 0, 
BV{c) n vara{d) = 0 



Table 1. The Transition System Tp 
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the query G in P, with selected agents Ai,...,An, reactive sequence aiQ2 • * • ctn 

and final store d. We also denote by (G,true) a finite derivation of 

Ap 

the query G in P , using the reflexive and transitive closure of where B is 
the last goal or a termination mode, s is the sequence of interactions and Ap is 
the sequence of agents. 

Given a derivation d, first(d) and last{d) (with d finite) are the first and 
the last goal or termination mode of d . length{d) denotes the length of the 
derivation, agents(d) denotes the sequence of selected agents of the deriva- 
tion, sequence{d) denotes the reactive sequence of d and EStore{d) stands for 
EStore{sequence(d)). We will denote by Derivs the set of all derivations. We 
will use the following notions regarding derivations. 

Between finite derivations, we define the following equivalence relation: 
di w d2 iff first{di) = fisrt{d2),agents{di) = agents{d2) 
and sequence(di) =c sequence{d2)‘^ 

Given a set of derivations SD the notation sequence{SD) stands for the set 
{sequence{d) | d 6 SD) . 

Definition 4. A derivation d is called real if it is entirely composed by tell 
constraints, i.e. if sequence{d) = c* • • - c^. 

A derivation d is called convergent if last{d) 6 {ss, dd, flf}. 

Note that in a real derivation each constraint we observe has been really pro- 
duced by the process and that a convergent derivation represents a computation 
which has reached a final state. 



4 The Collecting Semantics 

4.1 Semantics Domains 

In this section we present the semantics domains used to define a denotational 
semantics, based in the notion of derivation presented above. 

A set of derivations SD is well- formed if eind only if di « d2 implies d2 6 SD. 
We denote by ( WFD, C) the complete lattice of well-formed sets of derivations, 
partially ordered by inclusion. A collection D is a partial function Goals 
WFD such that, for every G e Goals, D( G), if defined, is a well-formed set of 
derivations all starting from G. 

We denote by D the domain of zdl collections ordered by C where Di C D2 if 
and only if VG.Di(G) C D2(G). (D, £) is easy shown to be a complete lattice. 

For collections Di and D2 we say Di is equivalent modulo variance to D2, 
Di =D D2, if and only if for any G there exist a renaming G’ of G such that, 
if Dx{G) is defined, then D2{G') is defined and, for any d € Di(G), there exists 
d' 6 D2(G'), such that d w d' and viceversa. 

^ Here = denotes the vsiriance relation on terms defined over a given signature. 
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A pure collection is a collection defined only for pure atomic goals^. We 
denote by PD the sublattice of pure D-collections. An interpretation I (D- 
Interpretation) is a pure collection modulo vauriance. We denote by Id the set of 
interpretations. (Id, C) is a complete lattice with the induced quotient order. 

4.2 Denotational Semantics 

The equivalence class modulo variance of a collection D is denoted by D itself. 
Any interpretation I of Id is considered also as an arbitrary collection obtained 
by choosing an airbitrary representative of / . The semantics operators used on 
interpretations are independent of the choice of the representative. Therefore, 
we can define any operator on Id in terms of its counterpart on D, independently 
from the choice of the representative. We will denote the corresponding operators 
on Id and D by the same name. 

We define the denotational semantics inductively on the syntax of ccp pro- 
grams presented in Section 3.2. The semantics functions are 
Q : QUERY D 
V : PROG (Id Id) 

C : CLAUSE ^ (Id -> Id) 

A : AGENT (Id D) 

and axe defined in term of the operators cx3, ||, ©, >, <3, 3 and • defined in section 
4.2. The choice of this semantic operators is induced by the syntactic operations, 
due to the compositional nature of denotational semantics. 

Q[G in P] .= a[Gl,/ppipj 

P[{cl}UP]i .= C[d\i®P[P]i 

vm ~ Idlr, 

£J[p(x)— : B]/ := free(p(x) B) ixi A[B]j 

A[A II B]i := A[A]j || ^[BJ, 

A[A -H B]i := A[A]/ © A[B]i 

.4[Stopl/ := 4 > 

A[tell(c) A]/ ;= cc>v4IA]/ 

>t[ask(c) A|/ := c < A[AJ/ 

A[3*A]/ := 

:= P • / 

where lfpP[P] means lfpio^I P[P]i- 

Using standard techniques it can be proved that P[P] is continuous [6], 
hence we can define the fixpoint denotation of a program P as the interpretation 
P:= lfpP[P]. 

Operations on Derivations We define now various auxiliary operations on 
derivations, used later to define the semantic operators on collections. 

1. Let di = {G,c} (Bi,di) £ind d 2 = (Bi,dx) (B 2 ,d 2 ) be two deriva- 

A], 

tions with last(di) = first{d 2 ) and uars(di) rit;ars(d 2 ) = vars{first{d 2 )). 
^ An atom is called pure if it is of the form p(x), where x is a tuple of distinct variables. 
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Then di ;; d2 := (G,c) (62,^2) denotes the concatenation 

Aj, 

of di and dj. This operation is naturally extended to sets of derivations. 
The operator 1x3 is a special case of the operator :: and is defined only for 

two derivations di and d2 with di = (p(t),c) (B',true) and d2 = 

p(t) 

(B'.true) (B,d),i.e. last(di) = /irst(d 2 ). Then di m d2 is defined as 
Ap 

the collection (p(t),true) {B',true) (B,d) 

p(t) Ap 

2. Let d = (G,c) (B,d) be a derivation and p be a renaming such that 

Ap 

vars{Gp)r\{vars{agents{d)) U vars{sequence{d)) = 0. Then dp{d) is defined 

as the collection (Gp, cp) (Bp, dp) 

App 

3. The operator > acting on a constraint c and a derivation d if defined as 
follows: Let G' = tell(c) -> G, and s“ = cf ■ ■ • c^, then 

- If f= d, L) c and dj L) c =c di U e and FV (e) D BV (d) = 0 cind BV (e) n 
FV(d) = 0, then 

cp(G,do> ^ (G,di) A (G,di+i) ^ (r,d„) ;= 

A°p Env A), 

(G',do) A (G',d,) -4 (G,d,+i> (r,d„> 

- If Jl=di U c, then 

c>(G,do) — ^ (G,d<) (r,d„) := (G',do) (G'.dj)*-^ (ffjdi) 

- c > (G, d) -A (±, d„) := (G', d) ^ (T, d„) 

Ap Ap 

4. The operator < acting on a constraint c find a derivation d if defined as 
follows:. Let G' - ask(c) G, and s“ = cf • • • c^, then 



5 . 



- If c < dj, then 

c<(G,do) {G,di) A (G,d,+i) (r,d„) := 

A°p Env A], 

(G',do) A (G',di) A (G',di+i> (G,di+i) A (r,d„) 






A). 



- If J^di U c, then 



c<(G,do) A (G,d.) A (r,d„) := (G',do) A (G',d^) A (ff,d.) 
If ^ dj U c and c ^ dj, then 

c<(G,do) A (G,di) A (r,d„> := (G',do) A {G',di) (dd,d<) 






>ip 






- c <1 (G, d) A (X, d„> := (G', d) A (X, d„> 

Ap Ap 

The operator ||, first introduced in [4] for sequences of constraints, allows 
to combine derivations whose sequences are equal at each point, apart from 
the modes, modeling the interaction of a process with its environment. It 
amounts to verify that the assumptions made by one process are validated 
by the other one ( i.e. it tells or assumes the same contraint). Formally, 
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the operator is defined on derivations di and da, such that sequence{<±{) = 
>^nd sequence{d 2 ) = Cj* C 2 • • • <Vl* • 

(A,d> (n,e)\\{B,d) (ra,e) = (B,d) ^ (ra.e) || (A,d) {n,e) 

(A,d) A (Ai.di) ^ {ri,e)|l(B,d) -4 (Bi,di) ^ {ra,e) := 

Env A], Gi A% 

(A II B,d> -4 (A II Bi,di) :: ^<A,di) ^ (n,e) || (Bi.di) ^ (ra,e>j 

SyntacticcJly, we apply the notation Stop || A = A || Stop = A. Further- 
more we have the rules 

- (r,e)|j(ss,e) ;= (r,e) 

- {-r,e) 11 (ff,e) := (fiF,e> 

- (dd,e)|j(dd,e) := (dd,e) 

- (l,e)||U,e) ;= (±,e> 

6. The hiding operator on derivations, defined if Xn(FV’“(di) U FV^{si)) = 0, 
is given by 

3. (^(G,do) 4 (G,di) 4 (Gi+udi+i) ^ (T,d„)) := 

{G,do) 4 (G,d,)^-4 {Gi+udi U P,c)> ^ (r,d„) 

Operations on Collections The void collection <j> is the collection AG.91, 
(the undefined function), where 0^ stands for the undefined element. The iden- 
tity collection Ido is the collection of zero-length derivations for each goal, 
i.e. AG.{(G,true)}, while the pure identity collection Idi„ is the collection 
Ap(x).{(p(x),true)}^. Moreover <f>G stands for the collection 0 • 

We introduce a special set of derivations, the StopSet, defined as 

StopSet := < (Stop, true) (Stop,di) • • • (ss,d„) | di = dj_i U Cj I 

( Env stop J 

1. The sum of a class of collections {Dj}j^j is defined as := 

XG.Uj^jDjiG) 

2. The extension of Di by D 2 is given by 

D\ tx3 Da := AG. {dj ex da J di 6 Bi(G),da G £) 2 (iast(di))} 

3. The tree operation maps clauses to collections. For a clause d := p(x)- ; B 
we define 

.. / 1 \ , (B'.true)|p(t);-B'6/nst(P)| 

tree{d) ;= (j> I J /p(t) 

4. The parallel composition of Di and Z?a is defined as 

■•= ■^G. {di II da I G = Gi || Gj, di G Bi(Gi),da G I?2(G3)} 

5. Given a constraint c and a collection D , the > operator is defined by 
c> D := AG. {c 0 d I G = tell(c) -> A, d G D{A), c> d is defined} 

* Note that when we write Ap(x).F we denote a partial function which is defined only 
for inputs of the form p(x) 2 tnd is otherwise undefined. 
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6. Given a constraint c and a collection D , the <3 operator is defined by 
c<D = AG. {c<d I G = ask(c) -> A, d 6 D(A),c<dis defined} 

7. Let {*/z/ /x} denotes the simultaneous substitution of the free occurrences 
of the variables z by its corresponding variables x , and the variables x by 
its corresponding variables y . Furthermore we require that z D vars(A) = 
0, y n vars(d) = 0. Then the hiding operator on collections is defined by 

= AG. {3yd {*/, y /,} I G = 3xA, d 6 D(A)} 

8. To define the choice operator on collections, we msike the following considera- 
tions. Apart from the cases of deadlock and failure, an alternative derivation 
can be always selected, therefore the successful and unfinished computations 
are given by set union. In case of failed or deadlocked computations, observe 
that the successful execution of an action is made visible by a tell constraint, 
hence, when a tell constraint is present, the alternative can be selected and 
we have set union again. On the other side, derivations whose actions are 
only assume actions and end in failure or deadlock, are present in the result 
collection only if they are present in all collections. Given a set of derivations 
5 , we use the following notations 

{5}^ = (d € 5 I there exists c* 6 sequence(d) with I = tandc / true} 

{5}^ = (d € 5 I for all c* € sequence{d) with c ^ true we have/ = a} 
Formally, we define 

Z?i © I>2 ;= AG. {(Z?i(Ai) U” £>2(A2)) U (T>i(Ai) U® D2(A2)) U 
(Di(Ai) £>2(A2)) U (T»i(Ai) U-^ T>2(A2)) 

I G = Ai + A 2 } 

where 

Si U®® 52 = (d e 5i U 52 I last{d) = ss) 

Si U" 5a = (d G 5i U 52 I last{d) = S}'^ 

U {d G 5i U 5a I /ost(d) = flf and 

sequence{d) G sequence{Si) D sequence{S 2 )}^ 

Si 5a = {d G 5i U 5a I last{d) = dd}’^ 

U {d G 5i U 5a I last{d) = dd and 

sequence{d) G sequence{Si) F\ sequence{S 2 )}^ 

U {d G 5i ( 3d' G S 2 -sequence{d) = sequence (d') 
and/ast(d) = dd and /ast(d') = ff}^ 

U {d G 5a I 3d' G Si.sequence{d) = sequence(d') 
and/ost(d) = dd and /ast(d') = flf}^ 

5i L)-^ 5a = {d G 5i U 5a I last{d) = X} 

9. Given em atom p(t) amd a collection D , the operator • solves the atom 
using the collection. We define p(t) •D := <f> [^/p(t)]i where 
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S = {5/)(d) I There exists renaming p such that 

A' = p(t)p, d e D(A'),last{d) G {ss, ff, dd}} 

U {9p(d') I There exists renaming p such that 
A' = p(t)p, d G D(A'), 
d = (A', true) {G,c) , G G Goals 

Ap 

d'= {A', true) (±,c)| 

5 The Abstraction Framework 

General semantic frameworks taking into account approximation can be defined 
using Abstract Interpretation [1,2]. We define a semantic framework whose in- 
gredients are a concrete semantics and an observable. Our concrete semantics 
models ccp-computations and is formalized denotationally. 

An observable is a Galois insertion between the domain of computations and 
an abstract domain of computations over the same constraint system, describing 
the properties to be modelled. The abstract denotational definition and goal- 
independent denotation are systematically derived from the concrete ones, by 
replacing the concrete semantic operators by they optimal abstract versions. 

We recall that we are interested in extracting some properties from the con- 
crete semantics without abstracting the constraint system, hence we ctm apply 
the general framework of Abstract Interpretation in order to define abstract 
semantics which characterize the properties of computations. 



5.1 Extracting Properties of Computations 

An observable property domain is a set of properties of derivations with an 
ordering relation which can be viewed as an approximation structure. An obser- 
vation consists of looking at am computation, amd then extreicting some property 
(abstraction). Since we represent computations as collections, an observable is 
a function from P to a suitable domain A, which preserves the approximation 
structure. Such a function must be a Gzdois insertion. 

Let {A, ■<) be a complete lattice. A function a : WFD is a domain 
abstraction if there exists 7 such that (a, 7) : (WFZ?,C) ;=± (.4,;^) is a Galois 
insertion. Given an abstract domain A we are genereJly interested in the abstract 
behaviour of the queries, which are elements of a domain of partial functions 
A C [Goals — ^ A\ (ordered by the trivial extension < of ■<) and are called 
A- collections. 

The insertion (0,7) can be lifted to collections by defining® A = a*(P), 
where a*{D) := AG.a(I?(G)), amd V5 G Aj*{S) := in/c (7(5(G))), where 
wfoiS) is the greatest well-formed subset of S, restricted to the derivations 
starting from G. The pair (a*, 7*) : (P, C) (A, <) is a Galois insertion. We 
will often abuse notation and denote a* by a. As in the concrete case, a pure 

® Remember that if D{G) is undefined then also q(D(G)) is undefined. 
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A-collection is any element A" 6 A which is defined for pure atomic goals only. 
We denote by PA the sub-lattice of pure A-collections. 

Definition 5. Let (A, <) be a complete lattice of k- collections. A function a : 
A -> P ts an observable if it maps finite elements of P to finite elements^ of A 
and there exists 7 such that 

1. ( 0 , 7 ) : (P, E) ^ (A,<) is a Galois insertion, 

2. a(PP) = PA and 7 (PA) C PC, 

3. 'iD,D' G PP.D =D D' ( 7 a)D =d {'ya)D' . 

Note that given a domain abstraction it is easy to obtain an observable by 
the above mentioned lifting. 

We can then define an abstract enhanced variance relation =a on abstract 
collections as follows: for any X,X',X =a X' o '){X) =d 7 (A"). An A- 
interpretation is a pure A-collection modulo =a ■ We denote by (Ia, <) the 
complete lattice of A-interpretations with the induced quotient order. 



5.2 From the Observables to the Abstract Semantics 

Once we have an observable a : A -A P, we want to derive the abstract seman- 
tics. The idea is to define the optimal abstract versions of the various semantic 
operators. The optimal abstract counterparts of the basic operators defined on 
P are ^ven by the following definitions, VA, X',Xi& k, c G C, A G Agents 



(g)A,: 


= a |(^7(Ai) 1 


(1) 


ieJ 


\i€J ) 




X^X' : 


= a(7(A)M7(A')) 


(2) 


X\\X': 


= a ( 7 (A) ||7(A')) 


(3) 


X®X' : 


= a(7(A)©7(A')) 


(4) 


c>X' : 


= a ( 07 (A)) 


(5) 


c<X : 


= a(c< 7 (A)) 


(6) 




= a(3A.y(A)) 


(7) 


piX : 


= a(p* 7 (A)) 


(8) 



The Output Observable An interesting property is the notion of output 
observable, which gives the store resulting of the computation of a goal, together 
with the termination mode. Using the domain OObs C V{Goals x TM x C), 

® Let A C [Goals A]. We assume that the elements of A can be represented by 
means of a syntactic expression built over the free variables which appear in the 
corresponding derivations in WFD. By finite element of A we mean any element 
which is finitely representable in the domain A- 
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where TM = {ss, ff,dd} U Goals, we can define the abstraction {^o,Q) ■ ® ^ 
Aoo, where Aoo C [GoaZs — ^ 006s], by 

^o(D) := AG. {(G,r,c) | d £ D{G),EStore{d) = c, 

last{d) = T, d is real and convergent} 

Q{X) AG. {d I first{d) = G,EStore{d) = c, 

last{d) = r,d is real and convergent, {G, r, c) G X{G)} 

U {d I first{d) = G, lasted) =X} 

U {d I first(d) — G,d is not real} 

Using equations 1 to 8 of section 5.2 we have the following definitions of the 
abstract semantic operators. 

1. 0X’i:=AG. U 

i€J j€J 

2. Before we define the operator m , we have to define the tree operation, which 
maps clauses to A-collections. The clause d := p(x)- : B cam be viewed as 
the A-collection 

ti^e(d) := 4> J{(p(‘).B'.‘r««)|p(t):-B'€/n,t(P)}/^^^^j 

The operator m is then defined as 
X\^X 2 ■.= AG. { (G,t, c) I aj G Ax(G),ai = (G,B,true) , 
aj G A 2 (B),a 2 = <B,r,c)} 

3. The abstract parallel operator is defined as 

Xi\\X2 := AG. {(Gi II G2,ritir2,c) | G = Gi || G 2 , 

(Gi,Ti,c) G A'i(Gl), (G2,T2 ,c) G A2(G2)} 
where we apply the rules r||ss = r,r||flf = flf and dd||dd = dd. 

4. Xi®X2 = AG. {Ai(Ai) U X2{A.2) | G = Ai + A 2 } 

5. Given a constraint c and a A-collection X , the > operator is defined by 
c>X := AG. {c> (A, r, c) | G = tell(c) ^ A, (A, r, c) G <T(A)} , 

where 

c> (A, T,d) = (tell(c) — > A, T, d U c) if ^ d U c 
c>{A,r, d) = (tell(c) -> A,fF,d) if )^dUc 

6. Given a constraint c and a A-collection X , the < operator is defined by 
c<X := AG. {c< (A, r, c) | G = ask(c) A, (A, t, c) G <T(A)} , 

where 

c< (A, T,d) = (ask(c) A, flf, d) if j^d U c 
c< (A, T,d) = (ask(c) -*■ A, dd, d) if |= d U c 

7. Let {*/z,^ /x} denotes the simultaneous substitution of the free occurrences 
of the variables z by its corresponding variables x , and the variables x by 
its corresponding variables y . As before we require z D vars{A) = 0, y n 
vars{c) = 0. Then 

= AG. {(G,r,3,c{*/z,y/x}> | G = (A,r,c) G A(A)}. 

8. p(t)iA’ := ^ P/p(t)], where 

S := {(Ap,r, dp) | A = p(t)p, {A,T,d) G A" (A) for a renaming p}. 
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6 Conclusions and Future Work 

We presented a denotational semantics for Concurrent Constraint Programming 
based in sequences of interactions of a process with the environment. The seman- 
tics is defined using a set of primitive semamtic operators, induced by the syntaix 
of programs and is a good basis for building semantic framworks for the cinalysis 
of ccp programs, using Abstract Interpretation techniques. We indeed show, how 
to use the semantics for extracting properties of computations, without changing 
the underlyning constraint system. 

The future work will be concentred in defining abstractions of computations 
firom one concrete constraint system to an abstrcict one. In this case we have to 
state the conditions that ensure the correctness of all the constraint system oper- 
ators and to define a correct approximation for the entcdlment test. The problem 
is that intuitively a correct approximation of the program meaning generates 
weaker answers for any possible program behavior. Thus, in order to character- 
ize answers associated with suspended computations, we must guarantee that 
whenever a concrete computation suspends the corresponding abstract compu- 
tation suspends too. This can only be obtidned by replacing ask constraints with 
stronger constraints, which is usually not the case in abstract interpretation. 
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Abstract. Our aim is to define a new fixpoint semantics which correctly 
models finite failure. In order to achieve this go^d a new fixpoint opera- 
tor is derived from a “suitable” concrete semantics by defining a Galois 
insertion modeling finite failure. The corresponding abstract fixpoint se- 
mamtics correctly models finite failure and is eind-compositional. 



Keywords; Abstract interpretation, Logic programming, Finite failure. 

1 Which semantics for finite failure 

The (ground) finite failure set FFp (the set of ground atoms which finitely fail 
in P) [2,11] does not correctly model finite failure. In fact if we tadce the obser- 
vational equivalence relation «ff induced on programs by finite failure defined 
as 

Definition 1. Let Pi and Pz be programs, G be a goal and and Tz be SLD- 
trees (defined by a fair selection rule) for G in Pi and P 2 respectively. Then 
Pi »ff P 2 if, for every goal G, Ti is finitely failed if and only ifJz is finitely 
failed. 

and 

FFp = { A 1 A is a ground atom zmd <— A has a fair finitely failed SLD-tree }, 

it is easy to see that FFp is not able to model the behavior of finite failure. Namely, 
the ground finite failure set cannot distinguish programs which have different sets 
of goals having a fair finitely failed SLD-tree. Here is a counterexample. 

Example 1. 

Pi :p(f(X)):-p(X) P 2 :p(f(X)):-p(X),p(a) 

s(a) s(a) 

Pi and P 2 have the same finite failure set. 

FFp, - FFp, -{ p(Q),p(f(Q)),p(f(f(a))),... 

s(f(Q)),s(f(f(a))),s(f(f(f(Q)))),...} 

However the goal <— p(X) has a fair finitely failed SLD-tree in P 2 while <— p(X) 
has only infinite fair SLD-trees in Pi. 
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In [9], the Non-Ground Finite Failure set, introduced in [12], 

NGFFp = {A I <— A has a fair finitely failed SLD-tree }, 

was proved to be correct w.r.t. finite failure. Moreover NGFFp was also proved 
to be and-compositional (i.e. the failure of conjunctive goals can be derived from 
the behavior of atomic goals only). The proof in [9] is rather complex and needs 
a construction of ideals of substitutions. However it is importaint since for the 
first time shows that the property of finite failure is indeed AND-compositional. 

However, NGFFp has no fixpoint characterization. This implies that NGFFp 
can not be computed by an iterative fixpoint operator. Therefore all the semantics- 
based analysis and verification methods which use a “denotational” approach 
(inductive verification, bottom-up goal independent abstract interpretation, etc) 
can not be applied to finite failure. 

Our aim was to find a fixpoint characterization of the set of non ground fi- 
nite fmlure. In order to achieve this goal a new fixpoint operator is derived from 
a “suitable” concrete semantics by defining a Geilois insertion modeling finite 
failure. The corresponding abstract fixpoint semantics correctly models finite 
failure and is and-compositional. The “suitable” concrete semantics which we 
will consider is an extension with infinite computations of the traces semantics 
in [4]. In fact, in order to model finite failure we need information on the atoms 
which can not be rewritten (either finitely or infinitely) via a fair selection rule. 
Moreover, firom this concrete semantics other new interesting fixpoint semantics 
can be derived by defining a Galois insertion modeling a property “observable” 
on the concrete semantics. An example is a fixpoint semantics which captures 
infinite derivations. This is why in the following we will define a general firame- 
work for defining new semantics as abstractions of our concrete semantics and 
then we apply it to derive a correct fixpoint semantics for finite failure. 

The paper is organized as follows. In Section 2 we define the general frame- 
work. We apply the framework to the finite fmlure observable in Section 3, de- 
riving a fixpoint semantics which correctly models finite feiilure. Finally, Section 
4 relates this new semcintics to other well known semantics. All the proofs of the 
results of this paper can be found in [8]. 



2 The General Framework 

The reader is assumed to be familiar with the terminology of and the basic 
results in the semantics of logic programs [1, 13] and with the theory of abstract 
interpretation as presented in [5,6]. Moreover, we will denote by x and t a tuple 
of distinct variables and a tuple of terms respectively, while B and G will denote 
a (possible empty) conjunction of atoms. By Go • • • — ^ Gn, (ti > 0), 

Pl.ci Pn.Cn 

we denote a finite 5Li?-derivation of goal G via the parallel selection rule. At 
each step we rewrite the atom in position pt of the goal Gi_i using a renamed 
apart clause Ci, and computing a substitution Infinite 5i£>-derivations will 
be indicate by Go — — > • • ■ — > Gn 

Pi. Cl Pn.Cn 
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2.1 Semantic Domain 

We consider sets of SLD traces via a particular fair selection rule which we 
call parallel selection rule R. Consider a goal G = .An- The rule R, 

at the first step, selects one of the atoms Ai. Then, at rewriting step i + 1, 
if R has selected the atom in position j in Gi_i, rewriting it with the clause 
A 4— B obtaining Gi, then, at step i + I, R selects the atom in position (j + 

lengh,t(B))modulo(lengh.t(Gi)) in Gi, where lengh.t(Ai An) = n. 

A set of derivations S for the goal G = Ai , . . . , An is well-formed if and only 
if, for any d in S obtained by selecting as first atom Ai, any prefix of d is also in 
S and amy d' obtained by selecting as first atom Aj and using the same clauses 
(as long as possible) than the ones in d, is also in S. A collection D is a partial 
function Goals — ^ WFS such that, for every G, if D(G) is defined, then it is a 
well-formed set of derivations in P (via the parallel selection rule) all starting 
from the goal G. 

Hence a collection is a function which associates to any goal G a (represen- 
tation of) a partial SLD-tree of G in P. A pure collection is a collection defined 
for pure atomic goals only. C is the domain of all the collections ordered by 
C, where D C D' if and only if VG, D(G) C D'(G). The partial order on C 
formalizes the evolution of the computation process. (C, C) is a complete lattice. 
PC denotes the sub-lattice of all pure collections. 

The equivalence modulo enhanced variance =c on collections is defined as 
D =c D' if and only if, for any G such that D(G) is defined, there exists a 
variant G' of G such that D'(G') is defined and, for any d 6 D(G), there exists 
d' e D'(G'), such that clauses(d) = clauses(d') and vice versa. 

Example 2. Consider the following program: 

Pi 

Cl :p(f(X)):-p(X) 

C 2 :q(f(g(X))):-q(X) 

C 3 :s(f(g(a))) 

For every collection D, D(p(X), q(X), s(X)) is a representation of a partial SLD- 
tree of the goalp(X), q(X), s(X) in P via the peirallel selection rule. Indeed, we can 
consider the collection D', a partial function which associates to p(X), q{X), s(X) 
the well -formed set of derivations 

p(X),q(X),s(X) p(f(Y)),q(f(Y)),s(f(Y))^''^4''\c, 

p(f(g(T))). q(f(g(T))), s(f(g(T))) 
P(i’(g(a))),q(f(g(a))) 

P(f(g(o))),q(f(g(a))) ^2,cz 
p(f(g(Q))),q(f(g(a))) 

p(X),q(X),s(X) p{f(Y)),q(f{Y)),s(f(Y)) 

p(X),q(X),s(X) p(f(Y)),q(f(Y)).s(f(Y))^W\c 

p(f(g(T))),q(f(g(T))),s(f(g(T))) 
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p(X),q{X),s(X) p(f(Y)),q(f(Y)),s(f(Y))^''/ 4 ''\ 



C2 

{T/a} 



p(f(g(T))), q(f(g(T))), s(f(g{T))) ' -t 3 .C 3 
p(f(g(a))).q(f(g(a))) 



p(X),q(X),s(X) p(f(Y)),q(f(Y)).s(f(Y))‘W\c2 

P(f (g(T))), q(f (g(T))), s(f(g(T))) 
P(f(g(a))),q(f(g(a))) 4i,c, 
p(f(g(a))),q(f(g(Q))) 

p(X),q(X],s(X] p(f(Y)),q(f(Y)),s(f(Y)]^'^<Hi^”2.c2 

p(f(g(T))), q(f{g(T))), s(f(g(T))) 
p(f(g(a))),q(f(g(a))) 4 i,c, 
p(f(g(Q))),q(-f(g(Q))) -^z.cz 

p(f(g(a))),q(f(g(o))) 



p(X),q(X),s(X) 



‘"'^'^‘''”2.c2p(f(g(Y))),q{f(g(Y))),s(f(g(Y)))%“\c, 
pWg{a))).q{f(g(a))) Ai,c, 
p(f(g{a))),q(f(g{a))) -^2,02 
p(f(g(a))).q(f(g(a))) Ai.c, 

P(f{g(a))),q(f{g(a))) 



p(X),q(X),s(X) p(f(g(Y))).q(f(g(Y))),s(f(g(Y))) 



p(X),q(X),s(X) p(f(g(a))),q(f(g(o))) Ai.c, 

p(f(g(a))),q{f(g(a))) A 2 .C 3 
p(f(g(a))),q{f(g(a))) Ai.c, 
p(’f(g(a))).q('f{g(Q))) A2,C2 
p(f(g(a))).q(f(g(a))) 

p(X),q{X),s(X) p(f(g(Q))),q(f(g(Q))) 



Note that D'(p(X), q{X], s(X]) is a representation of the maximal SLD-tree of 
p(X),q(X),s(X) in P. While the collection D" which associates to the goal 
p(X),q(X),s(X) the well-formed set of derivations 
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p(X),q(X),s(X) p(f(Y)),q(f(Y)).s(f(Y))^''^4''\ca 

p(f(g(T))),q(f(g(T))),s(f(g(T))) 

p(X),q(X),s(X) p(f(Y)),q(f(Y)),s(f(Y)) 

p(X),q(X),s(X) P(f(g(Y))),q(f(g(Y))),s(f(g(Y))) 

represents a partial SLD-tree of p(X), q(X), s(X) in P. 

An interpretation I (C-interpretation) is a pure collection modulo enhanced 
variance. Ic denotes the set of interpretations and, by abuse of notation, the quo- 
tient order on Ic is denoted by C. (Ic. E) is a complete lattice, a denotes also 
the equivcilence class (modulo enhcinced variance) of the collection a. Moreover, 
any interpretation I of Ic is implicitly considered edso as an arbitrary collection 
obtained by choosing an arbitrary representative of I. Since all the operators 
defined on interpretations will be independent from the choice of the represen- 
tative, we can define any operator on Ic in terms of its counterpcirt defined on 
C. All the definitions me independent from the choice of the syntactic object. 
To simplify the notation, we denote the corresponding operators on Ic and C by 
the same name. 



2.2 Denotational semantics 

Queries and programs are described by the following grammar, 

QUERY ::= GOAL in PROG, 

GOAL 0 | ATOM, GOAL, 

PROG ::= 0 | {CLAUSE] U PROG, 

CLAUSE ATOM <- GOAL. 

We define the denotational semantics inductively on the syntax. The semantic 
functions are 



QJ-K : QUERY C, 

gj K : GOAL — > (Ic -> C), 

AJ-K : ATOM (Ic C), 

TJ-K : PROG — > (Ic -t Ic) 
eJ-K : CLAUSE — » (Ic -> Ic). 

Our semantic functions are described in terms of some semantic operators, whose 
choice is induced by the syntactic operations, so that the resulting denotational 
semantics is compositional w.r.t. £ill the syntactic operations. The semantic op- 
erations, formally defined in section 2.4, me x, ©, >, -I- and tree whose informal 
meaming is the following. The operator x, (Di x D 2 , Di,D 2 € C), computes 
a new collection which contains all the traces (via a pmallel rule) for the goal 
Gi , G 2 , using the information on the traces (via a pmallel rule) for the goal Gi 
in Di and the trmes (via a pmallel rule) for the goal G 2 in D 2 . The operator 
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0, (A 0 D, A G Atoms, D G C), computes the set of traces for A using the 
information on the traces for A', A' < A (A' < A if there exists a substitution 
^ such that A = A'fi), in D. The operator >, (Di > D2, Di .Da € C), computes 
a new collection obtained by extending, whenever it is possible, the traces of 
Di with the tr£u;es of D2. The operator +, (Di + D2, Di,D2 G Q, computes 
a new collection obtained by considering for every goeil G all the traices for G 
in Di and all the traces for G in D2. FinjJly, tree, (tree(c), c G Clauses) maps 
clauses to collections. Indeed every clause c := p(t) 4— B can be viewed as the 
“one step” interpretation (collection). 

The sem^lntic functions are. 



QJG in PK := SJGKgfp j>jpk 
SJA, GK, AJAKi X SJGK, 


SJ0Ki 


:= 4>0 


AJAKi := A 0 1 






TJ{c} U PKi := eJcKi -f- TJPKi 
eJH 4- BK, := tree(H 4- B) > SJBKi. 


TJ0Ki 


Jl 



where the void collection 4) is the collection AG. K, i.e., the undefined function. 

Note that the semantics of a set of clauses (a program) is the greatest fixpoint 
ofTJPK. 

The pure identity collection Id\ is the pure collection of zero-length deriva- 
tions for each goal, Ap(x).{p(x)}^ . Moreover 4 >g denotes the collection <|)[^‘“yG] 
and □ denotes the empty goal. Let us now give some intuitions on what the 
g^yj.K computes. 



Example 3. Consider the program Pi in Ex4imple 2. 
gfpTJP,K(p(X))={ 



P(X)^^/4^’>1,. 


p(f(Y)) Ai.c, 


p(X)^^/4^’\.c, 


p(f(Y)) 


P(X)‘’^/4^»1,. 


p(f(Y))-^i.c 


p(X)^"/4^’^.e, 


p(f(Y))Ai,c. 



P(f(Y))-^i,c p(f(V)) 



p(f(Y)) 

p(f(Y)) Ai.c, p(f(Y)) 



} 



^ Note that when we write Ap(x). E we denote a partial function which is defined only 
for inputs of the form p(x) and is otherwise undefined. 
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gfp?JP,K(q(X))={ 

Wf(g(Y))} 

— > 1,C2 

Cl(X) — > 1,C2 

C|(Xj — > 1,C2 

{x/f(g(Y))) 

£|(Xj — » 1, 



’.C2 



q(f(g(Y))) A,,c 2 q(f(g(Y))) A,.C 2 q(f(g(Y))) 
q(f(g(Y))) 

q(f(g(Y))) q(f(g(Y))) 

q(f(g(Y))) A,.e2 q(f(g(Y))) Ai,c 2 q(f(g(Y))) 



} 



gfpTJPiK(s(X)) ={ s(X) □ 



} 



Consider now the progicun 

P2 

Cl : q(a) :-p(X) 

C2 :p(f(X)) :-p(X) 

gfpTJP 2 K(q(Y))={ 

q(Y)^%“\,c P(X) p(f(Xi)) p(f(f(X3))) 

‘"'^/Ii’'^^.c2P(f(f{f(X4)))) 

q(Y)^'^“’i.c, P(X) 

q{Y) — > i,ci P(XJ — ) i,c 2 P(t(Xi)) 



gfpTJP2K(p(X))={ 

p(X) p(f(X,)) p(f(f(X2))) 

p(f(f(f(X3)))) 



C2 



{X/f(X,)} ,,:,v U 

P(X) -4 1,C2P(f(Xl)) 



} 



2.3 Basic operations on derivations 

By d = Go — • • • — - - - > Gn —t . . . , we denote a possibly infinite SLD- 

Pl.Cl Pn.Cn 

derivation of G via the parallel selection rule, where first(d) = Go, clauses(d) = 
Cl , . . . ,Cn- By vor(d) we denote all the variables appearing in the derivation d. 

We now define some auxiliary operations on derivations. These operations will 
be used in section 2.4 in order to define the semantic operators on collections. 
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- di :: d 2 denotes the concatenation of d] and d 2 - 
Let di = G — ■ • ■ — > G ' and 

Pi. Cl Pti,C„ 



d2 = G' 



«; 



4 . . . 



9'r, 






V2ir(di ) n var(d2) = var(first(d2)) and 

Pi = {Pn+leTtgKt{body(Cn))Tnodulo(lenght(G'))) then di :: dz 



is defined. 



- 0y(d) is the derivation obtained by applying the substitution y to first (d) 
cind building a derivation as long as possible (until a failure in finding mgus 
occurs) by selecting the same atoms and by using the same clauses as in d. 

Letd:= 

pi.c; p4.c; 

be a derivation and y be an idempotent substitution such that var(Goy) n 
v£ir(clauses(d)) = 0. 

Then 3y(d) := Go — ^ ^ Gh ^ , where 

v\A p^.c-^ 

• Go ;= GqY and 

• for any i, if Gi_i = (Gi,A,G 2 ) and A is the p( atom in Gi_i, c( = 
H <— B then (if an mgu exists) := mgu(A, H) and Gt := (Gi , B, G2)0t. 



- di A*d 2 , for i = 1 , 2, is the derivation obtained by trying to build a derivation 
for the goal (first(di ),first(d 2 )) by a paredlel selection rule (stating from 
the first atom selected in the derivation di) as long as possible using the 
same clauses as in di auid d 2 - 

di d2 is defined if var(di ) n var(d2) C first(di ) D first(d2). 

For the sake of simplicity we omit the formal definition, which can be found 
in [8]. 



Note that the operators on derivations are defined so that variable name clashes 
in the clauses are avoided. Hence the results of the construction axe independent 
(modulo variance) from the choice of the mgu. 

Lemma 1. Let di , d 2 be derivations and y be an idempotent substitution. Then 
the following properties hold. 

1. If dy :: d 2 is defined then di :: d 2 »s o derivation. 

2. If dy{d) is defined then dy(d) is a derivation. 

3. If di A'^ dz is defined then di A’^ d 2 is a derivation. 

2.4 Basic operators on collections 
The sum of a class {Dj)jg; is 

Xl{Dj}j6j := AG. UjgjDj(G) and Di +D 2 denotes ll{Di,D 2 }. 
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The product of a class {Dj}jgj is 
n{Dj}jej:=AG.rij6,Dj(G). 

The instantiation of D with A is 
A © D := 4 >[Va] where 

S ;= {Syfd) I S' is a renamed apart (from A) 

version of D(A'), for some A' < A, d 6 S' and there 
exists y such that A = first (d)y and 0y(d) is defined }. 



The and- composition of D i and Dj is 

Di X Dz ■= (Di x’ D 2 ) + (Di x^ D 2 ) where for i = 1,2, 

Di x^D 2 :=AG.{di A'd 2 |G = (Gi,G 2 ) and fori = 1,2, G? = Gi, 

di is a renamed version of an element 
in Di(G(), such that Gi = first(di) 
and di d 2 is defined }. 



The (compatible) extension of Di by Dz is 

Di > D 2 := AG.Di (G) U{di :: d 2 |di 6 Di (G), G 2 = last(di) £md d 2 is a 

renEimed version of an element in 
02(62) such that di :: d2 is defined }. 



The tree operation maps clauses to collections. 
tree(c) := 4> 



(P(x).p(x)— 

1 ,c 



P(x) 



where x is a tuple of new distinct variables and c = p(t) <— B. 



2.5 Program denotation 

The fixpoint denotation of the program P is the interpretation TJPK := gfp T JPK. 
Theorem 1. TJPK is continuous and co-continuous on (C, C). 

We can define the ordinal powers of TJPK so that 



JJPK = glb(TJPK i = ni<a,{0>JPK i i). 




A fixpoint semantics for reasoning about finite fmlure 247 



In [8] we have also defined an operational semantics OJPK, in terms of a 
transition system and a completion on sets of derivations. OJPK correctly models 
the finite and infinite SLD traces (via a paredlel rule) derivable by a program P. 
Namely, if we define the equivalence on programs Pi emd P2 as the equivalence 
of their behaviors, 
i.e.. Pi Rs P2 VG € Goals, 

{ d I d is a infinite or finite (possibly partial) 

derivation for G in Pi, via a parallel rule} = 

{ d I d is a infinite or finite (possibly partial) 
derivation for G in P2, via a parallel rule }, 

the following result hold, 

- OJ.K is correct w.r.t. «, i.e. OJPiK = OJP2K Pi « P2- 
— and OJ.K is minimal w.r.t. i.e. Pi fts P2 OJPiK = OJP2K. 

An important result is that 

Theorem 2. OJPK = JJPK. 

which ensures the equivalence of the operational and denotational semantics and 
states that the denotational semantics is also correct and minimal w.r.t. w. 

2.6 The observable 

Once we have defined the concrete fixpoint semantics we cem derive abstract 
fixpoint semantics which model different observable behaviors of the program. 
An observable behavior is any property which we cem be “observed” on the 
concrete semcintics and can be formalized as a Galois insertion. 

Example 4 - Assume that we are interested in defining a semantics modeling com- 
puter answers as defined in [7, 3]. We can “observe” this property on our concrete 
semantics. Then, we can define an abstraction function on collections D, which, 
for every goal G, associates to G, the set of substitutions (fii • . . . • fin)|var(G)) 

where the derivation G — Gn — + □ belongs to D(G). Indeed, 

the abstrziction function occa for computed answer applied to the collection 
gfpTJPiK (Example 3) yields as result the partied function 

aca(gfpO’JPiK)(p(X))={ } 
aca(gfpyjPiK)(q(X))={ } 
aca(gfp?JPiK)(s(X))={ X/f(g(Q))} 

Once we have formalized the property of interest as a Galois insertion, we 
define the optimal abstreict fixpoint operator. 

Here we want to establish sufficient conditions so that the abstract fixpoint 
semeintics that we derive is precise with respect to the concrete one and inherits 
all the desirable properties from the concrete denotation. 
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Consider an abstract domain (X>, :<), which is a complete lattice. A function 
a : WFS — > P is a domain abstraction if there exists y such that (a, y) : 
( WFS, C) ;=i {V, is a Galois insertion. Given an abstract domaiin V we are 
interested in the abstract behavior of queries, which are elements of a domain 
A C [Goals V] (ordered by the trivial extension < of X) and are called 
A-collections. 

It is easy to see that the insertion (a, y) can be lifted to collections as fol- 
lowing. For all G G Goals, VD € C, a*(D) := AG.a(D(G)), A := a*(C) and 
VS e A, Y*(S) := AG. wfG(y{S(G))), where wfclS) is the greatest well-formed 
subset of derivations starting from G only, of any set of derivations S. The pair 
(a*, y*) : (C, C) (A, <) is a Galois insertion. We will often abuse notation 
and denote simply a* by a. As in the concrete case, a pure A-collection is any 
element of X G A which is defined for pure atomic goals only. We denote by PA 
the sub-lattice of pure A-collections. 

Definition 2. Let (A, <) be a complete lattice of A-collections. A function a : 
C — > A is an observable if there exists y such that 

1. (a, y) : (C, C ) (A, < ) is a Galois insertion, 

2. a(PC] = PA and y (PA) C PC, 

3. VD,D' G PC, D =c D' (ya)(D) =c (ya)(D'). 

Note that given a domain abstraction it is easy to obtain an observable by the 
above mentioned lifting. 

We can define an abstract enhanced variance relation =a on A-collections as 
follows. For any A-collections X, X', X =a X' 4=^ y(X) =c y(X')- An A-inter- 
pretation is a pure A-collection modulo We denote by (la. <) the complete 
lattice of A-interpretations with the induced quotient order. Condition 3 of 
Definition 2 states that the observation does not depend on the choice of the 
variable names and on the choice of the mgus used in the derivations. Namely 
D =c D' implies a(D) =a ct(D'). Hence for any C-interpretation I, the A-inter- 
pretation a(I) is well defined by t^lking the abstraction of any representative of 
1 as a representative of the intended A-interpretation. 

Once we have axi observable a : C — » A, we want to systematically derive 
the abstract semcmtics. The idea is to define the optimeil abstract versions of the 
various semantic operators, defined on C. Hence VX,X',Xi G A 

A0X:= ct(A©y(X)), 

X5X':= a(y(X)xy(X')), 

X>X':= (x(y(X)>y(X')), 

n{Xi}iei:=«(n{'>'(Xi)}iei). 

Moreover, if the abstract operators also satisfy the following conditions, 
a(AoD) = a(A© (y oa)D), (2.1) 
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a(D X D') = «{(y o a)D X (y o a)D'), (2.2) 

a(D > D') = a(D > (y o a)D']. (2.3) 

a(I^{Di}i6i) = a(|^(Y ° a){Di}igi) {Dijigi descending chain of collections. 

(2.4) 

a(J^Y({Xi)igi)) = glb{Xi}igi {Xijigi descending chain of abstract collections. 

(2.5) 

then the abstract denotational semantics is defined by using the abstract optimal 
operators as follows 

Denotational semantics 
Q„JG tn PK := SaJGKgfpj^jPK 

S„JA. GKx := A«JAKx x S«JGKx S«J0Kx := ctfch®) 
AaJAKx := A © X 

U PKx := CaJcKx + ?aJPKx TocJdKx ct(/di) 

e«JH<-BKx := aoejHi-BKoY(X). 
y„JPK:=gfp3>aJPK 

has the following properties, 

Theorem 3. Let a : C — > A 6e observable which satisfies the previous condi- 
tions, c be a clause, A be an atom, G be a goal and V be a program. Then 

1. ot(AJAKi) — Ao(JAKa(i), 

2. a(SJGKi) = S«JGK„(i), 

3. a(ejcKi) = eaJcKa(i), 

4 . a(?JPKi) - T„JPK„(I), 

5. TaJPK is co-continuous on A and TotJPK = TaJPK i to, 

6. a(yjPK) = J„JPK and a(QJG in PK) = Q„JG in PK. 

This means that for any observable property on the concrete semantics which 
can be formalized by a G^llois insertion (a), if the optimal abstract operators 
satisfy properties 2.1-2.5, we are guaranteed that the induced abstract denota- 
tionaJ semantic functions are precise w.r.t. the concrete one and that the fixpoint 
operator TaJ.K is co-continuous. The precision of the abstract denotational se- 
mantic functions implies the correctness of the abstract denotational semcmtics 
w.r.t. the observable property a. 

3 On finite failure 

3.1 The Sem 2 mtic Domain 

By fin "•• . we indicate a (possibly infinite) sequence of relevant 

substitutions for a goal G such that Gfit < Gfii+i. 
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Finite failure is a downward closed property, i.e., if G finitely fails then Gfi 
finitely fails too. Moreover it enjoys a kind of “upward closure” . Namely, if the 
goal G does not finitely fail, then there exists a (possibly infinite) sequence of 
substitutions fin “••• > such that for every G' which finitely fails, there 

exists a j, such that G' does not unify with Gfih, for h. > j. Note that the above 
mentioned sequence of substitutions can be viewed as the one computed by an 
infinite or successful derivation for the goal G. If we cannot find such a sequence 
for the goal G, then G finitely fails. Now, suppose we know that a given set C 
of goals finitely fails. We can infer that an instance Gfi of a gO£il G finitely fadls 

if for all sequences of substitutions fii :: :: fin " . . • , there exists a G ' 6 C 

such that Vi, G\ unifies with Gfii. 

The intuition behind the above remarks can be formalized by an operator on 
Goals, where Goals is the domain of goals of the program P. 

Definition 3. Let C C Goals and G € Goals. 

upg (C) = C U {Gfi I for all (possibly infinite) sequences 

of relevant substitutions for the goal G 

fii ". fin " • • . , 

there exists a G 6 C such that 
V i, G unifies with Gfifii }. 

upg is a closure operator, i.e., it is monotonic w.r.t. set inclusion, idempotent 
and extensive. 

Let S be the domain of sets of downward closed instances of a goal G, which 
are also closed with respect to upg^. 



3.2 The non ground finite failure observable 

Byd' <d d we mean that d' is a prefix of d, while d-* denotes the prefix of length 
j of d. 

Let us first introduce some new operators useful in the definition of the ab- 
straction and concretization functions. 

Definition 4. Let G be a goal and A be an atom. 

NUnifG(A) = (Gy | Gy is not unifiable with A} 

Definition 5. Let G be a goal and S € <S. 

NUnifseqc (S) = {fii fin • I VG 6 S there exists an i such that 

G is not unifiable with Gfii} 

Consider now the abstract domadn Aff C [Goals 5]. Aff is the domain of all 
the partial functions ordered by Cff, where F Cff F' if and only if VG, F(G) D 
F'(G). (Aff ,Cff) is a complete lattice. 

Intuitively a goal G has a finite failure if it can not be rewritten successfully 
or infinitely. 
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Example 5. Consider the program Pi of Example 2 and its concrete semantics 
gfpTJPiK as described in Example 3. The instances of the atom p(X) which 
finitely fail axe the ones which can not be rewritten infinitely or successfully. 
These are the atoms which do not unify with p(X)fii starting from a given i, 
where the fit’s are the ones in the derivation 



P(X) p(f(Y)) Ai.e, p(f(Y))4,,c p{f(Y)) 



This intuition is formalized by the following observable a : C — > Aff 



a(D) := XG. f) a e D(G) and Ud'<ad NUnifeiG answer(d')}, 
(last(d) = □ or 
last(d) = oo) 

7 (X):=AG. {d |fii fi„::...€NUmfseqG(X), 

first(d) = G, Vi, 3ji, Qnswer(dj‘) = fit } U 



{d I first(d) = G,lost(d) 7 ^ □ amd last(d) 00 } 



where last(d) is equal to the last goal of the derivation d, if d is a finite amd oo, 
otherwise. Qnswer(d) is the substitution computed by the derivation d, restricted 
to var(first(d)). 



Example 6. Consider P 2 and gfy T JP 2 K in Example 3. 

a(gfpTJP 2 K)(q(X)) - { q(f(X)), q(f(f(X))), . . . 

q(f(a)),q(f(f(Q))),... } 

a(gfpTJP2K)(p(X)) = { p(a),p(f(Q)),p(f(f(Q))), . . .} 

Lemma 2. — (a.y) : (C, C) (Aff,Cff) is a Galois insertion. 

- a(PC) = PAff and y(PAff ) C PC, 

- VD.D'ePC, D=cD'=^. (ya)(D)=c (y-a)(D'). 



Now that we have stated that oc is am observable we cam define the optimal 
abstract operations on Aff . 
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Lemma 3. Let X be a pure abstract collection. 

A © X = <|> [ Va] where 

R {AS 1 < H,0 > is a renamed apart (from A) 

version of < A',X(A') >, for some A' < A, 

A" e 0, and S = mgu(A, A")|a}- 

Xi X Xz - AG.up^f((GS I G = (G’.G^). /or i = 1 ori = 2 

G = G'.G'S is a renamed apart 

version of a goal m X'(G '), via a renaming Pi 

s.t. G 'pi = G^, 

var(G'S) nvar(G^) C var(G’) nvar(G^) 

1 = 1 or I = 2 andl^i}). 

nXi = AG. up«(U(Xi(G)). 

ZXi= AG.n(Xi(G)). 

As we already pointed out, in [9] we proved that NGFFp was and-compositional, 
i.e. the behavior of compound goals could be obtained from the behavior of 
atomic goals only. However the and-composition relation was rather complex. 
Here we have automatically derived the and-compositionality operator for finite 
failure yielding a simpler way to derive information on finite failure of conjunctive 
goals. Moreover the previously defined optimal operator satisfy conditions 2.1- 
2.5. 

Lemma 4. 0,x, FI satisfy conditions 2.1- 2.5. 

We can now define the abstraict denotational semaintics and the optimal fixpoint 
operator, as described in section 2.6. !PotJPKx- 

Lemma 5. 

J*aJPKx == Ap(x).{ p(t) I for every clause defining the procedure p, 
p(t) :-B € P 

P(t) e up^^,,,,(Nunifp(x)(p(t)) U 

(p(t)S I S is a relevant substitution for p(t), 
BS G wp^^lC] }) 

where C = {Bo | B = (Bi , . . . , B^)S BBiScr G X(Bi)} 

By lemma 3, is co-continuous. By defining the ordinail powers JPK X i 

in the usual way, our semantics will be gfp(J*aJPK) = glb({ TaJPK X i- I f < 
uj}) = up^^(,^){Ui<a. y«JPK X i). 

Let us now show how our semantics works on some examples. 
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Example 7. Assume Zp = {f, a} and program P 2 in Example 3. 



TaJPiK X 1 (q(X)) = { q(f(X)), q(f(f(X))), . . . 

q(f(a)),q(f(f(a))),... } 

5’«JP2KXKp(X))={ p(q) } 

a>«JP 2 K X 2(q(X)) = { q(f(X)), q(f(f(X))), . . . 

q(f(a)),q(f(f(Q))),... } 

?«JP2KX2(p(X))={ p(Q),p(f(Q)) } 



gfp(?„JP 2 K)(q(X)) = { q(f(X)), q(f(f(X))), . . . 

q(f(a)),q(f(f(Q))),... } 

gfp(5’aJP2K)(p(X)) = { p(Q),p(f(Q)),p(f(f(Q))), . . .} 

Consider now 

P 3 :q(a):-p(X) 
p(f(X)) : -p(Q) 



yaJPsK X l(q(X)) = { q(f(X)), q(f(f(X))), . . . 

q(f(o)),q(f(f(Q))),... }, 

y„JP3KX1(p(X))={ p(a) }, 

y«JP 3 K X 2(q(X)) = { q(f(X)), q(f(f(X))), . . . 

q(f(Q)),q(f(f(Q))),... }, 

T„JP3K X 2(p(X)) = { p(X),p(f(X)), . . . 

p(a),p(f(Q)),... }, 



gfp(?„JP 3 K)(q(X)) = { q(X), q(f(X)), q(f(f(X))), . . . 

q(Q),q(f(Q)),q(f(f(a))] } 

gfp(0>„JP3K)(p(X)) = { p(X),p{f(X)), . . . 

p(a),p(f(a)),... }. 

Finally, consider 

P4:p(f(X),f(f(X))):-p(X,f(X)) 

q(f(Y),f(Y)):-q(Y,Y) 

gfp{?>«JP 4 K)(p(X)) = { p(f’^{X),f"‘(X)), m^n+l, 

p(ti ,t 2 ), ti or t 2 ground terms}, 

gfp(0’„JP4K)(q(X)) = { q(f’-(X),f-(X)), m ^ n, 

q(ti , t 2 ), tj or t 2 ground terms} 
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Then next example shows how it is possible to infer if a conjunctive goals has 
finite failure from the information on finite failure of atomic goals only. 

Example 8. Consider the program P4 of Example 7. The goal (p(H, V), q(H, V)) 
finitely fails in P4, since (p(H, V), q(H, V)) € ^ipfp(H,v),q(H,V))(^)> where 
C = { p(f-(X),f-(X)), q(f-(X),f-(X)),m ^ n+ 1, ■ 
p(f-(X),f'^(X)),q(f’^{X),f'-(X)),m ^ n, 

P(ti,t2),q(ti,t2) ti or t2 ground terms) 

This is true, because, for all possible sequences of substitutions . .fin " ■ • • 
for (p(H, V), q(H, V)), there exists a (p(H, V), q(H, V))cr 6 C which unifies with 
each (p(H,V),q(H,V))fii. 



4 Relation to other semantics 



In this section we want to relate our sememtics for finite failure to the direct 
characterization of the set of ground atoms FFp . 

This characterization for ground finite failure was introduced in [11] by Lassez 
and Maher. 

Definition 6. Let V he a program. Let Tp be the fixpoint operator on sets of 
ground atoms defined in [13]. Then Fp, the set of atoms of the Herhrand base, 
which are finitely failed at depth k is defined as follows. 

1. AgFJ, i/A^Tpil; 

2. A for d > 1 if for all clause B <— Bi , . . . , Bn in P and for all substitu- 
tions fi such that A = Bfi and Bifi, . . . , Bnfi are ground, there exists k such 
that 1 < k < n and Bkfi G Fp~’ . 

Definition 7. The set of finite failure Fp o/P is defined as 

Fp = U<i>iFp. 

It is worth noting that, if we define the set ground as follows. 

Definition 8. Let R 6e a set of atoms. 
ground(R) = { p(t) | p(t) G R and p(t) is ground} 

we can establish the following relation between T^JPK X and Fp. 

Theorem 4. For every finite k. 

Up(x)ground(T„JPK I k (p(x])) = F^. 

Moreover our fixpoint operator is co-continuous. 
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Example 9. Consider program P 2 of Example 3. 



Up(x)y„JP 2 Kil (p(x))={ 
Up(x)y«JP2Ki2(p(x))={ 



q(f(X)),q(f(f(X))),... 

q(f(a)),q(f(f(Q))),... 

p(q) } 

q{f(X)).q(f{f(X))),... 
q(f(Q)),q(f(f(Q))),... 
p(a),p{f(a)) } 



Up(x) 0>„JP2K i to (p(x)) = { q(f(X)), q(f(f(X))), . . . 

q(f(Q)),q(f(f(Q))),... 

p(o),p(f(a)),p(f(f(a))),...} 

Up(x) ?aJP 2 K i to + 1 (p(x)) = { q(f(X)), q(f(f(X))), . . . 

q(f(Q)),q(f(f(Q))),... 

p{Q),p(f(Q)),p(f(f(Q))),...} 



Consider now 

Fp = Up(x)ground(9«JP2K i 1 (p(x))) = { q(f(a)), q(f(f(o))), . . . 

P(Q) } 

H = Up(x)ground( 0 ’„JP 2 K i 2 (p(x))) = { q(f(a)), q(f(f(o))), . . . 

p(a),p(f(a)) } 



Fp = Up(*)grouTtd(T«JP 2 K j. to (p(x))) = { q(f(a)), q(f(f(a))), . . . 

p{a),p(f(a)),p(f(f(a))),...) 

Note that it is not possible to define a co-continuous operator based on the Fp ’s, 
since q(a) fails according to the information in Fp. 

5 Conclusion 

Our goal was defining a fixpoint semantics correctly modeling finite failure. Our 
approach was to start with a concrete fixpoint semantics modeling the finite and 
infinite SLD traces via a fair selection rule. 

From this concrete semantics, which allows us to observe the finite failure 
property, by using abstract interpretation techniques, we automatically derive 
a new fixpoint semantics for finite failure. In fact, once we have formalized the 
’’observable” property of finite failure as a Galois insertion, we can define an 
abstract fixpoint operator as the optimal (and precise) version of the concrete 
fixpoint operator. This construction yields a fixpoint semantics which correctly 
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models finite failure, using a fixpoint operator which is co-continuous and a new 
theorem of and-compositionality for finite failure simpler thcin the one stated in 
[9]. It is worth noting that the fixpoint operator for finite failure is not finitary. 
However, for ancilysis and verification purposes, we are in general not interested 
in the standard semantics of a program (which is in any case an infinite object), 
but in its finitely computable approximations. Also in our case, it is possible 
to derive approximations of our fixpoint operator which will allow us to derive 
information on finite failure in cm effective way and to use it to define effective 
verification methods [10]. 

Moreover, we believe that other interesting semantics can be derived firom the 
concrete SLD-traces semantics. We are now currently working on the definition of 
a new fixpoint semantics modeling infinite derivations, based on a co-continuous 
operator. Some computable abstractions of this semantics could be useful for the 
analysis of termination of logic programs. 

Finally, we think that our results are a nice example which shows that ab- 
stract interpretation is not for static analysis only. It is well known that abstract 
interpretation can be used to related existing standard semantics. However here 
we have used the abstract interpretation technique to derive a new semantics 
which models an observable property for which a satisfactory fixpoint semantics 
was hard to define in a direct way. 
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Abstract. Walther’s estimation calculus was designed to prove the ter- 
mination of functional programs, and can also be used to solve the simi- 
lar problem of proving the well-foundedness of induction rules. However, 
there are certain featiures of the goal formulae which are more common 
to the problem of induction rule well-foundedness than the problem of 
termination, and which the calculus cannot handle. We present a sound 
extension of the calculus that is capable of dealing with these features. 
The extension develops Walther’s concept of an argument bounded func- 
tion in two ways: firstly, so that the function may be bounded below by 
its airgument, and secondly, so that a bound may exist between two ar- 
guments of a predicate. Our calculus enables automatic proofs of the 
well-foundedness of a large class of induction rules not captured by the 
original calculus. 



1 Introduction 

An induction rule is well-founded iff there is a well-founded order such that for 
each step case of the rule the inductive hypotheses axe less in that order than the 
inductive conclusion. A standiird technique for showing validity of an induction 
rule involves showing the rule to be well-founded, aind so automatic techniques 
for establishing well-foundedness are of interest to the inductive theorem proving 
community. 

The problem of proving an induction rule well-founded is similar to that of 
proving the termination of a recursive functional program. The current state 
of the art techniques in automated termination analysis of functionjd programs 
axe based upon WaJther’s estimation calculus [10]. Likewise, these techniques 
currently represent the most powerful approach to automatically proving the 
well-foundedness of induction rules. 

Both termination and well-foundedness proofs involve finding a well-founded 
relation -< that satisfies formulae of the form 

ip -i- s (1) 

In a termination proof of a function^ /, there is a goal (1), known as a termination 
formula, for each recursive cadi in a defining equation of / of the form 

^ We do not consider functions defined by mutual or nested recursion. [5] describes 
extending existing termination amadysis techniques to such functions. 
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fit) = ■■■ f{s) ■■■ (2) 

In a well-foundedness proof, there is goal (1), known as a well-foundedness for- 
mulae, for each induction hypothesis in a step case of the induction rule of the 
form 



ip,..., ip{s ), ... I- (3) 

However, there are two common features of the induction step case (3) which 
appear less often in (2). Firstly, the term t in (3) can contain defined function 
symbols (i.e. non-constructor symbols), whereas the t in (2) is often a pattern 
(i.e., a linear constructor term) - some languages (e.g. ML) demand this is the 
case. Secondly, the terms s and t in (3) may be related by a predicate in the step 
case conditions cp. Although this can occur in (2), it is not a common style of 
programming. Hence well-foundedness formulae have features whose analogues 
appear less frequently in termination formulae: 

(i) the appearance of defined function symbols on the right of the inequality, 
and, 

(ii) the two sides of the inequality are related by a predicate that appears in the 
preconditions. 

As the original estimation calculus was designed to prove termination formulae, it 
does not take account of either of these features, and so fails on well-foundedness 
formulae when these features are relevant to the solution (several examples are 
given below). 

In this paper we present a sound extension of the estimation cedculus which 
can haindle both of these features of well-foundedness formulae. Furthermore, 
this extended calculus is readily automated in just the same way as Walther’s 
original calculus. Thus the extended calculus enables automatic proofs of the 
well-foundedness of a strictly larger class of induction rules not captured by 
Wedther’s approach. (We discuss below other extensions of the original calculus.) 
Likewise, it cm prove the termination of a larger class of functions, given some 
formadisms may allow functions with features malogous to (i) and (ii). 

The extension is achieved by developing the concept of argument bounds. 
In the original calculus, an argument bounded function is one whose result is 
bounded above by one of its arguments under the size order. The size order <# 
orders free data types by their value under the size measure #, e.g., natural 
numbers are ordered by magnitude, and lists by length. 

We extend the concept of argument bounds to functions which are bounded 
below by their arguments, md to predicates in which one argument bounds 
another. Using these concepts, the calculus is extended in order to deal with 
features (i) and (ii) described above. For simplicity in this paper, we concentrate 
on extending Walther’s original calculus [10], although our techniques could be 
combined with some of the other extensions described in §2.3. 
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The features particular to well-foundedness formulae and our extensions to 
estimation calculus are illustrated by the following two exaimples. Firstly, con- 
sider (4) below as an example of an induction rule whose well-foundedness for- 
mulae have feature (i): 



I- V>(0) 

I- V>(s(0)) 

x^OAy^O, ipjx), ipjy) h ‘4>(jplus{x, y)) 

I- 'ix-.nat. i(>{x) 

where plus sums two natural numbers. If we attempt to use the size order # to 
prove this well-founded, we must show that 

X 7 ^ 0 Ay 0 ->■ #(x) < #(p/us(x,y)) (5) 

X 5 ^ 0 Ay 7 ^ 0 -> #(y) < #(p/us(x,y)) (6) 

These well-foundedness formulae both display feature (i): defined function sym- 
bols appear on the right of the inequality. If we know that plus is bounded below 
by its first argument, relative to #, and that this bound is strict when the second 
argument is non-zero, i.e., 

u 7 ^ 0 -»• #(u) < #(p/us(u, u)) (7) 

then we can easily discharge (5). This is the basic approach taken by the estima- 
tion calculus: find an argument bound, synthesise lemmas giving conditions on 

the strictness of this bound (like (7)) and then show that these conditions hold. 
Formula (6) can be discharged with a similar insight about the second argument 
of plus. 

However, this example cannot be solved by the estimation calculus. Because 
the termination formulae it was designed to solve rarely display feature (i), it 
only reasons with functions which are bounded above by one of their arguments. 
The crucial part of this proof is to recognise the lower argument bound on plus. 
Our extended calculus can solve such well-foundedness conditions by reasoning 
about lower argument bounds. 

Our second example (8) has well-foundedness formulae which illustrate fea- 
ture (ii) described above. Here shorter is a predicate that holds only when its 
first argument is a shorter list than its second argument. 

b V>(mQ shorter {x,y), V>(x) h ip{y) 

h Vx:list(r). V’(x) 

To establish well-foundedness using the size order, we need to discharge 

shorter{x,y) -> #(x) < #(y) (9) 

This well-foundedness formula displays feature (ii): the two sides of the inequzJity 
are related by a predicate that appears in the preconditions. If we know that 
when shorter holds, its first ^lrgument is bounded above by the second aurgument. 
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relative to #, and that this bound is always strict, then we can discharge (9). 
Notice we have taken the estimation calculus approach again: find an argument 
bound, synthesise a lemma giving conditions on the strictness of this bound and 
show these conditions hold - in this example the conditions are triviadly true. 

The original estimation calculus cannot solve this exzunple, as the crucial 
part of the proof is recognising the relevant argument bound holds between 
the first and second arguments of shorter. The calculus can only reason about 
argument bounded functions, and not argument bounded predicates that appear 
in the conditions on the inequality. This is because these rarely appear in the 
termination formulae the calculus was designed to prove. Our extended calculus 
can solve such well-foundedness conditions by reasoning about bounds between 
arguments of predicates. 

Although there exist more powerful techniques which cam reason about fea- 
tures (i) aind (ii), i.e. [4] and [1], our calculus has advantages over these. The main 
contribution of this paper is that such reasoning can be ‘built in’ to Walther’s 
calculus in a way analogous to the original, and which retains its simplicity. The 
method is simpler and easier to implement thfin comp^lrable techniques, and 
although less powerful, is capable of coping with many common examples. 

The remainder of this paper is orgcinised as follows: we provide some bcick- 
ground on the estimation calculus in §2. The extension for handling the occur- 
rence of defined function symbols in the conclusion of a step case is presented 
in §3, and the extension for formulae where the two sides of the inequ 2 dity axe 
related by a predicate that appears in the conditions is described in §4. Refine- 
ments and possible developments of our approach are discussed in §5, eind in §6 
we draw our conclusions. 

Conventions We use i e [n] to denote 1 < t < n, and ^ to denote si, . . . , s„. 
Each n-ary constructor c has n associated destructor functions dj, . . . , which 
return the arguments of c, defined as d^{c{t„)) = U, a everywhere else, where o 
is an arbitrary nullau’y constructor of the appropriate type. It is assumed that 
such a constructor exists for each type. 



2 Background 

Proving induction rules well-founded, and functional programs terminating (ex- 
cluding nested and mutually recursive progreuns), requires us to find a well- 
founded relation^ -< which satisfies a set of formulae of the form 

iC) ( 10 ) 

There is a well-foundedness formula of this form for each inductive hypothesis, 
where the s< zure values of the induction variables in the hypothesis, the U are the 
values in the conclusion of this step case and (p are the conditions on this case. 
In the case of termination proofs, there is a termination formula (10) for each 

^ A relation is well-founded if it does not contain any infinite descending ch^uns. 
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recursive call - the s, are the arguments of this call, the f,- are the arguments of 
the head of this defining case and ip are the case conditions. 

If a relation -< is well-founded on a measure functions m : a P can be 
used to induce a well-founded relation -<m, defined by 

Vx,p:a. {x-<my rn{x) ■< m{y)) 

The estimation calculus [10] attempts to prove sets of well-foundedness formulae 
using the well-founded size order <^. The size measure # ; r -t nat counts 
the number of reflexive^ type r constructors in a type t data-structure, where 
substructures of other types are ignored. The rest of this section gives a brief 
summary of the estimation calculus - for more details see [10]. 

2.1 Argument Bounds and Difference Predicates 

Walther defines an argument bounded function as one whose result is smaller 
under than one of its arguments. In order to avoid confusion later, we refer to 
these as upper argument bounded functions, because the argument is an upper 
bound on the function. Formally: 

Definition 1 (Upper Argument Bounded Function). A function / : ti x 
X Tn T is upper p-bounded iff p£ [n] and 

Vti:n ...t„:r„./(0 <# fp 

A function is upper argument bounded iff it is upper p-bounded for some p. 

For each upper argument bounded position p of a function /, there is a 
difference predicate which is true only when the upper bound is strict. Formally: 

Definition 2 (Difference Predicate). If f is upper p-bounded, the difference 
predicate is defined by 

= (/(tfi) <# tp) 

Note that predicates are treated as functions with the range {true, false}. 
For an n-ary predicate P we write P ( x ^) = true as P(xil) (see [10] for further 
details). 

2.2 The Estimation Calculus 

Walther’s calculus is given in Fig. 1, which we have recast as a sequent-style 
system. The measured data type has k reflexive constructors ffc, and I ir reflexive 
constructors ir/. Each r/ is reflexive on the set of argument positions Ri. 

The calculus is used to derive sequents of the form (s <# t, A), and is sound 
in that (s <# t, A) implies both s <# t and ^ s <# t. Well-foundedness 

® A function is reflexive if its range type is one of its domain types. 
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Fig. 1. The estimation calculus 



conditions of the form (10) are proved by showing hg (sj <# ti,A) for some 
i 6 [n] and then using a theorem prover to establish (p A. 

The calculus rules can be used in reverse to decompose the goal formula 
{s <# t, A), where the identity of A is initi8illy unknown. If we represent this 
unknown as a meta-variable which can be instaintiated by rule applications, then 
the difference formula A can be constructed during the am 2 ilysis^. 

Walther’s original approach to using the calculus was to recast it as a production rule 
system whose rules constructed A as they decomposed the inequaJity. The approaches 
are trivially equivadent. 
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Recognising argument bounded functions and synthesising difference predi- 
cates is done automatically using the estimation calculus. An upper p-bounded 
function / is recognised by performing a meta-induction proof that demonstrates 
that each defining case of / returns a value no larger under than the pth 
argument (see [10] for details). If it exists, the corresponding difference predicate 
is synthesised as a by-product of this analysis. 



2.3 Related Techniques 

Based on the estimation calculus, Giesl developed a similar calculus that works 
with arbitrary measure functions based on polynomial norms [3]. As it is not 
restricted to using the size measure, it is a much more powerful approach. The 
method still has the drawback that the user must supply the appropriate mea- 
sure function. To overcome this Giesl adapted the appro£ich to automatically 
synthesise these measure functions, using techniques from termination cinaly- 
sis of term rewriting systems [4j. This latter technique is quite different from 
the estimation calculus, and does not use argument bounded functions. A good 
overview of this research can be found in [6]. 

The estimation calculus has also been extended to work with certain non-free 
data types [9], and has been used as the basis for Wadther recursive programs [7], 
a class of functional programs for which termination is decidable. 

3 Lower Argument Bounded Functions 

In this section we describe our extension for feature (i): the occurrence of defined 
function symbols on the right of the inequality. If a well-foundedness formula has 
this feature, then proving it requires us to show l-£; (s <# t. A), where t contains 
defined function. The calculus fails in these situations because it has no rules 
which can derive theorems of this form. 

We can extend the estimation calculus to allow defined functions / to be 
added to t, providing that they do not decrease the vcilue of this term under 
the size measure. In other words, the value of /(..., f, . . .) is bounded below by 
the value of t. We call these functions lower argument bounded functions, and 
define them as follows: 

Definition 3 (Lower Argument Boimded Function). A function / : ti x 
• • • X r„ -> r is lower p-bounded iff p € [n] and 



Vti'.Ti ' ' ’tn'Tn-tp fifn) 



A function is lower argument bounded iff it is lower p-bounded for some p. 

Before we can extend the calculus to use lower zugument bounded functions, 
we need to be able to synthesise a difference predicate that is true iff the lower 
aurgument bound is strict. The process is exactly £inalogous to the upper bound 
case - the difference predicate A^j is synthesised while verifying that / is lower 
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p-bounded - and is described in §3.1. We can now extend the estimation calculus 
by adding the following inference rule (11) to handle lower argument bounded 
functions. 



Lower Bound Estimation 



r {s <# tp, A) 

r\-E {s <# f{K),Ay A^f{K)) 



if / is lower p-bounded (11) 



Because all constructor functions are argument bounded on their reflexive 
argument positions, the strong embedding rule (see Fig. 1) is now redundant, 
being subsumed by rule (11). Below we use to denote the estimation calculus 
extended with our new rule (11). 

Theorem 1. Rule (11) is sound. 

Proof. Assume / is lower p-bounded and (s tp,A). By definition s <# tp 
and s tp, and tp f(i^) and A^^{t),) tp <# /(C)- Now: 

(a) s <# /(C), by s <# tp and tp /(C)- 

(b) A V A^f(C) -> s <# /(C), as -»• s <# /(C) and Zl^(C) -»•«<# /(C) 

by (a). _ _ ^ 

(c) 5 <# /(C) ^V^^(C), because s <# tp <# /(C), so s <# /(C) -> C # 

s'^tp^ f{i^). Hence s <# /(C) s <^f^tpV tp <# /(C)- 

Therefore (s <# /(C), A V zly(C)) as required. □ 

Given the original estimation calculus and the new rule (11) eire both sound, 
our extended calculus t-g is cdso sound. 

As an example of rule (11) in operation, consider the following induction 
rule, taken from [8]: 

I- V'(m7) rpjl) h ip{app{l,ams{x,nil))) 

I- Vf:list(r). V’(0 

Here nil and cons are the list constructors and app is a defined function that 
appends two lists, defined as 



app{nil,l) = l (13) 

app{cons{h, t), 1) = cons{h, app{t, 1)) (14) 

We can verify that app is lower 1-boimded, with the associated difference pred- 
icate A),pp (see §3.1 for details), defined as 



= (i = cons{hd{l),tl{l))) 

^ipp(co"«(Cf),0 = ■4opp(f,0 
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We can use the size measure to prove (12) well-founded: \~e (I <# I, false) by 
the identity rule, and then by lower bound estimation 

{I <# app{l,cans{x,nil)), FALSE V A\j^{l,cons{x,nil))) 

It is within the power of current automatic inductive theorem provers (e.g.. 
Clam [2]) to show that the difference formulae FALSE V A\pp{l,cons{x,nil)) is 
true, and so the inequality is strict. Hence the induction rule (12) is well-founded. 
Note this cannot be established using the original calculus, because of the defined 
function symbols app appearing on the right hand side of the inequality. 

In [4] termination/well-foundedness formulae aure converted into a set of con- 
straints on a polynomial measure, and a suitable measure is generated. This 
relieves the user of having to provide suitable measures for the proof. It is also 
general enough to handle goal formulae with feature (i), and so could be used as 
an alternative to the estimation calculus extended with our rule (11). However, 
our approach is considerably simpler and easier to implement. Of course, it can 
only be used in situations where the size measure is sufficient, but this includes 
many common induction rules /functions. 



3.1 Recognising Lower Argument Bounded Functions 

When an n-ary function is defined, we attempt to prove it is lower p-bounded 
for each p € [n]. We assume it has been shown terminating, and has a set of 
mutually exclusive and exhaustive defining equations. To verify that / is lower 
p-bounded for some p we must show 

t-E {tp <# f{Q, (17) 

for some difference predicate A’’^. As in the upper argument bounded case (for 
details see [10]), we prove this property by a meta-induction over the estimation 
calculus which corresponds to the recursive structure of /. The difference pred- 
icate is synthesised during this process - eaich case of the meta-induction 
adds an equation to its definition. 

So for each defining equation of / 

<P /(C) = b (18) 

where b contains k recursive calls /(si,i, . . . , si.„), . . . , /(«*,!, . . . , «*,„), we must 
verify a case of our meta-induction corresponding to (18) 

(Sl,p . . . , Si^n)) ^y(si,l> ■ • ■ j 

; (19) 

(®A:,p /(s*,i , . . . , • I Sjfc.n)) {tp b, A) 

for some A. Note there may be no recursive ceills in b, aind so they will be no 
inductive hypotheses. 
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The corresponding difference predicate is synthesised as a by-product: for 
each case of our meta-induction (19), we obtain the following defining equation 

cp ^1^(0 = zi (20) 

The above meta-induction is guaranteed valid, because we demand / is ter- 
minating and has a set of mutually exclusive and exhaustive defining equations. 
K we use this scheme to prove (17), then for each case (18) there is a meta- 
induction case 

(p, hi, . . . , hk {tp A^{tn)) 

where hi,. ,.,hk are the inductive hypotheses of (19). By the definitions of / (18) 
and A^ (20) it is sufficient to prove (19). Hence the meta-induction proves (17). 

Furthermore, as is sound, (17) implies tp <# /(C) and 4^(C) tp <# 
f{t„). So by definition 3, the meta-induction verifies that / is lower p-bounded 
and has difference predicate A^ . 

The process of recognising lower argument bounded functions is illustrated 
by the verification app (see §3) is a lower 1-bounded function. For defining equa- 
tion (13) we use the minimum rule to show 

hs (nil <# 1,(1 = cons(hd(l),tl(l)))) 

(15) is extracted from this. For the recursive equation (14) we cein use the weak 
embedding rule to show 

{t <* app(t,l),A\j,j,(t,l)) \~B (cons(h,t) cons(h,app(t,l)),Alpj,(t,l)) 

from which (16) is extraicted. Hence app is lower 1-bounded, with the difference 
predicate defined by (15) and (16). 

4 Argument Bounded Predicates 

We now describe our extension for feature (ii): the two sides of the inequality 
are related by a predicate that appears in the preconditions. A well-foundedness 
formula with this feature requires us to show bf; (s <# t. A), where s is less 
than t because of the preconditions. This is not possible in the original calculus, 
which ignores these conditions. 

Although the conditions <p may entail s <# t, it may require arbitrarily hard 
theorem proving to estabUsh this - auid we would still be left with the problem of 
synthesising the appropriate difference predicate. We adopt a restricted but more 
practical approach in which (p w(i^) is tested using a decision procedure®, 
such that s = tp and t = tq, where lu is a predicate that is mentioned in p 
and whose pth argument is never greater under the size measure than its gth 
argument. In other words, w ensures t is bounded below by s. We call w an 
argument bounded predicate, defined as follows: 

® For example, that the formula is a tautology. 
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Definition 4 (Argument Bounded Predicate). A predicate w : t\ x • • • x 
Tn bool is (p, ^)-bounded iff 1 < p,q < n, p ^ q and 

Vti^Ti • • * tji'.Tji. w(tn^ f tp tq 

A predicate is argument bounded iff it is {p,q)-bounded for some p,q. 

As with argument bounded functions, there is a difference predicate Aw’^^ that 
is equivalent to this bound being strict, i.e. w{t^) -¥ {A^w’^\t^) o tp <# tq), 
and which is synthesised while verifying w is (p, g)-bounded. This is described 
in §4.1. We can now extend the estimation calculus by adding cin inference rule 
(21) to hcindle argument bounded predicates in the conditions. 



Condition Bound 

r\-B (tp<^ tq, z\L^’’^(C)) 

Providing (p, 9 )-bounded w in p and p tu{tn) is & tautology. 



( 21 ) 



Theorem 2. Rule (21) is sound. 

Proof. Assume w is (p, g)-bounded and (p -> w(0 is a tautology. As p is the 
current condition, w{t^) holds. By definition 4, w{t^) -t tp <# tq, so tp <# tq. 
Also, w{t^) (A\S''’\i^) •«-»• tp tq), so A^w’'’\i^) ^ tp <# tq. Hence 

{tp <5jt tq, A{£’'’\t^)) as required. □ 

Extending \~e with (21) preserves soundness; henceforth we shall refer to this 
system (i.e., l-£; with the addition of rule (21)) as 

As an example of the use of rule (21), consider the following induction rule: 

‘ip{nil) leqlen{l,m), ip{l) \- ip(cons{x,m)) 

\->/i.list{T).ip{l) ^ ’ 

Here leqlen is a predicate that holds when its first argument is a list not longer 
than its second argument, and is defined as 



leqlen{nil, m) = TRVE (23) 

leqlen(cons{g, s), nil) = FALSE (24) 

leqlen{cons{g, s), cons(h, t)) = leqlen{s, t) (25) 

We can show that leqlen is (l,2)-bounded, and has the difference predicate 
^/e?/en details), defined as 

= (”^ = cons{hd{m),tl{m))) (26) 

s),nil) = FALSE (27) 

s),cons{h, t)) = A\1^]1 ^{s, t) (28) 
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To establish the well-foundedness of (22) using the size order, we can use the 
condition bound rule (21) to derive \~b {I <# followed by 

lower bound estimation, given that cons is lower 2-bounded. 

\-E {I <# cons{x,m), V -d2<,„,(x,m)) 

The difference formula is true, as Zig^,(x,m) is defined as true. Hence induc- 
tion rule (22) is well-founded. Note that this example cannot be solved using 
the original estimation calculus, as it does not consider the conditions on the 
well-foundedness formulae. 

Brauburger and Giesl use inductive evaluation to exploit the conditions on 
the inequality in termination formulae [1], and so their method could also be 
used as an alternative to the condition bound rule (21). However, this requires 
an inductive theorem prover to solve subgoals that correspond to proving the 
predicate is strictly argument bounded. Our approach performs this analysis 
when the predicate is first defined, and so requires less theorem proving support 
during execution. It is simpler to identify argument bounded predicates when 
they are defined, and to use the condition bound rule when possible. Of course, 
there are many situations where rule (21) is not relevMt and inductive evaluation 
is required. 



4.1 Recognising Argument Bounded Predicates 

When an n-ary predicate is defined, we attempt to prove it is (p, g)-bounded for 
each p ^ q, I < p,q < n. We assume it has been shown terminating (recall our 
predicates are functions onto {true, false}) and has a set of mutually exclusive 
and exhaustive defining equations. To verify that w is (p, g)-bounded for some p 
and q we must show that 



(29) 

when w{t^) holds, for some difference predicate ■ We proceed as in the 
argument bounded function case (see §3.1 and [10]), by a meta-induction over 
the estimation calculus according to the recursive structure of w. Agcdn eeich 
case of the meta-induction aidds an equation to the definition of the difference 
predicate A^j‘''^\ 

However, because we have the extra assumption ti;(t„), the details of the 
meta-induction are somewhat difierent firom the functional case. For each defin- 
ing equation of w 



<p -> tw(0 = b (30) 

we require that 6 is a quantifier-free formula over the free variables of w(t^). This 
formula is converted into disjunctive normal form 6' = di V • • • V dm- Recall that 
we only want to establish (29) when w{t^) holds, so if 6 = FALSE we can ignore 
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the case (30) and do not care what value taJces - a case assigning it 

FALSE under the condition (p is added. 

Otherwise, we must prove a case of the meta-induction corresponding to (30) 
when w{t^) = TRUE. The latter implies at least one of the disjuncts di must hold. 
If di holds and contains the set of positive literals pi, we can make the following 
assumptions 

1. For each w(^) in pi we can assume {sp <# s,, 

2. For each z{sZ) is in pi, such that z is a (u, v)-bounded predicate, we can 
assume (Sp <# s,, Zli“’'’^(s;;)). 

For each di we collect such a set of assumptions hi,..., ha and verify the following 
meta-induction case 



hi,..., ha \~E (31) 

If this proof is successful we create the following defining equation for : 

p ^ A<£’0HQ = A 

Compare our meta-induction with the induction based upon the recursive 
structure of w. Ours has the same case structure, with extra cases splits on 
the disjuncts di V • • • V dm, and only uses inductive hypotheses which would also 
appeau: in the latter induction. The meta-induction is valid since w is terminating 
and has a set of mutually exclusive and exhaustive defining equations. So if the 
meta-induction succeeds, then (29) is established under the assumption w(t^). 

Given w{tn) implies (29), the soundness of \~e yields w(t^) -> tp t, 
and w{t^) -> (Aw’^\i^) tp <# tg). So by definition 4, the meta-induction 
correctly verifies that w is (p, q»)-bounded and has difference predicate Aw’^^ • 

Our approach to recognising argument bounded predicates is illustrated by 
the verification of leqlen (see §4) as a (1, 2)-bounded predicate. Consider defining 
equation (23) of leqlen: we use the minimum rule to show 

\~E {nil <# m, (m -- cons{hd{m),tl{m)))) 

which gives us (26). The defining equation (24) has FALSE on the right, so this 
case is ignored, and A\lgil^{cons{g,s),nil) set to FALSE. For the third defin- 
ing equation (28) there is a single disjunct contmning a single positive literal 
leqlen{s,t). Hence we use the weak embedding rule to show 

\-E {cons{g,s) <# cons{h,t),A\l’^l,^icons{g,s),cons{h,t))) 

from which (28) is extracted. Hence leqlen is (1, 2)-bounded, with the difference 
predicate defined by (26), (27) and (28). 
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5 Further Work 

Our extended calculus consists of the lower bound estimation rule and the con- 
dition bound rule added to the original estimation calculus, minus the strong 
embedding rule - which is subsumed by lower bound estimation. There are a 
number of refinements that could be made to improve its performance. Many 
of those suggested by Walther for his original calculus [10] would be similarly 
applicable to our work, e.g., the optimisation of difference algorithms. 

The use of lower argument bounded functions and argument bounded pred- 
icates could be incorporated into Giesl’s calculus for polynomial norm measure 
functions [3], given that it works on similar principles to the estimation calculus. 
This would give our benefits for well-foundedness proofs, without the restriction 
of using only the size measure. 

Argument bounded predicates can give us useful information even when their 
bound arguments are not simply the terms of the inequality we want to derive. 
For instance, consider the following induction rule: 

t- ip{nil) 

less(len(l),len(m)), ip{l) h r/i(m) 
h V/:Hst(r).i^(/) 

Here less is less than on natural numbers, and len returns the length of a list. 
less is also (l,2)-bounded, so we can use the condition bound rule to derive 

{len{l) <# len{m), {len{l),len{m))) 

This can be used to prove induction rule (32) well-founded, providing we know 
the following properties of len: 

'ix,y:list{T).len{x) <# len{y) -> x <# y (33) 

'ix,y:list{T).len{x) <# len{y) — ^ x <# y (34) 

Such reasoning could be included in the extended calculus, where properties 
like (33) and (34) are established when the functions Eire initially defined. 

We also intend to implement the extended calculus as part of the Clam 
inductive theorem prover [2], in order to support automatic well-foundedness 
proofs for induction rules, e.g. the examples given in this paper. This forms part 
of a project to automatically construct such induction rules when required. 

6 Conclusions 

We have presented a fully automatic technique for proving that induction rules 
are well-founded. It is a sound extension of the estimation calculus designed to 
hEindle two common features of well-foundedness formulae for induction rules. 
These features are i) defined function symbols on the right of the inequality 
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and ii) a predicate in the preconditions which relates the two sides of the in- 
equality. The original estimation calculus did not take account of either of these 
features, as they rarely appear in the termination formulae it wcis designed to 
solve. Consequently, om: calculus is more powerful. 

Although both features could be tackled using alternative techniques our ap- 
proach is simpler and easier to implement than comparable methods, as well as 
requiring less theorem proving support during execution than inductive evalua- 
tion. 
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Abstract. The guarded fragment (GF) was introduced in [ABN98] as 
a fragment of first order logic which combines a great expressive power 
with nice modaJ behavior. It consists of relational first order formulas 
whose quantifiers are relativized by atoms in a certain way. While GF 
has been established as a particularly well-behaved fragment of first order 
logic in many respects, interpolation fails in restriction to GF, [HM99]. 
In this paper we consider the Beth property of first order logic and 
show that, despite the failure of interpolation, it is retained in restriction 
to GF. Being a closure property w.r.t. definability, the Beth property 
is of independent interest, both theoretically and for typical potential 
applications of GF, e.g., in the context of description logics. The Beth 
property for GF is here established on the basis of a limited form of 
interpolation, which more closely resembles the interpolation property 
that is usually studied in modal logics. From this we obtain that, more 
specifically, even every n-variable gu 2 irded fragment with up to n-ary 
relations has the Beth property. 



1 Introduction 

The Guarded Fragment It has proven useful to view modal logics not only as 
systems in themselves but also as fragments of first order logic. As is well-known, 
the basic modal logic K can be seen as a fragment of first order logic via the 
translation t which maps a proposition letter p to the atom Par, which com- 
mutes with the Boolean connectives, and which maps formulas of the form 0(p 
to 3y{Rxy A fp^(y)) and □(/? to 'iy{Rxy -> ^^{y)). The image of K under this 
translation is referred to as the modal fragment. This firagment turns out to be- 
have excellently. It shares several nice model-theoretic properties with full first 
order logic (e.g., interpolation, Beth definability, or the Los-Tarski property), 
and has in addition good algorithmic qualities: it is decidable and every satis- 
fiable modal formula has a finite model and a tree model (in other words, the 
modal fragment has the finite model property and the tree model property). 
Moreover, the decidability of this fragment is robust in the sense that various 
extensions remain decidable. For example, adding features like counting quanti- 
fiers or fixed points to the modal fragment does not affect decidability. 
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The usefulness of the modal fragment brought logicians to search for gener- 
alizations of this fragment which retain the afore-mentioned nice properties. An 
obvious candidate for such a generalization is the two variable fragment of first 
order logic, denoted by L 2 . Although this logic is decidable £md has the finite 
model property, it does not have interpolation nor the Beth property. Neither 
does it have the tree model property, and also its decidability is not as robust 
as that of the modal fragment [Var98][G099]. 

In [ABN98] it is eirgued that the distinguishing characteristic of the modal frag- 
ment is not its restriction to two variables but its restriction on quantifiers, 
namely to quantifier patterns 3y{Rxy A <p(y)) or 'iy{Rxy -t <p(y))). This brings 
Andreka, van Benthem and Nemeti to investigate to what extent these quantifier 
restrictions can be loosened while retaining the attractive modal behavior. The 
outcome is the guarded fragment (GF) which allows for quantifications of the 
form 3y{Rxy A (p{x,y)) and 'iy{Rxy (p{x,y)), where x,y are finite sequences 
of variables and is a guarded formula with free variables eimong x, y which all 
must appear in the atomic formula Rxy. 

In [ABN98] this fragment is shown to have the finite model property, the Los- 
Tarski property and, most importantly, to be decidable. Gradel [Gra97] improves 
on this result by classifying the satisfiability problem for GF to be complete 
for deterministic double exponential time; satisfiability for the finite variable 
guarded fragments is even in Exptime, in fact Exptime-complete. This is worth 
comparing with the satisfiability problem for L 2 which is known to be Nexptime- 
complete [GKV97]. What is more, GF has a certain tree model property. Since 
the tree model property of the modal fragment can be seen as the meiin reason 
behind the robustness of the decidability of that fragment (cf. e.g., [Var98]), this 
gives hope as to the robustness of GF. And indeed, adding least and greatest 
fixed points to GF yields a decidable extension [GW99]. 

However, as shown in [HM99], the interpolation theorem of first order logic fails 
for GF. In the present paper it will be shown that GF does have an alternative 
interpolation property, which closely resembles the interpolation property usu- 
ally studied in modal logics. This result turns out to be strong enough to entail 
the Beth definability theorem for GF. 

The Beth (Definability) Property In a slogan, the Beth definability property 
states that implicit definability equals explicit definability. Generally, this prop- 
erty may be regarded as an indication that there is a good balance between 
syntax and semantics of a logic; the semantic phenomenon that the meaning of 
a basic relation is implicitly determined, guaremtees that there is an explicit syn- 
taictic expression for that relation. Intuitively, an implicit definition of a relation 
Ris a definition of R, in the sense that it fixes the interpretation of R, in which 
the relation symbol R may occur. For example, consider the conjunction S of 
formulas saying that < is an irreflexive linear order, there exists a first element 
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and this element has property R, and an element has property R iflf its successor 
does not have property R. Note that these statements can be formulated in first 
order logic (with equality) using the predicates < and R. It is obvious that on 
every finite irrefiexive linear order the interpretation of the relation R is fixed. 
In other words, on finite models, E implicitly defines R. On the other hand, 
as first observed by [Haj77], there is no first order formula 9{x) which does not 
mention R and which would explicitly define R over the finite models of E. I.e., 
there is no formula 6{x) using just < such that E ^ Rx o 9{x) would be true 
over 2 dl finite models. Obviously, every relation that is explicitly definable is 2 ilso 
implicitly definable. As the above example showed, the converse is in general not 
true. However, in the classical context of not necessarily finite models, implicit 
definability and explicit definability in first order logic coincide. This property of 
first order logic has first been observed by E.W. Beth (see [Bet53]). Nowadays, 
logics for which an analogous statement holds are said to have the Beth (defin- 
ability) property. So the above-mentioned example shows that first order logic 
restricted to finite models does not have the Beth property. Another logic which 
fails to have this property is L 2 (cf. [Sai90], see also Remark 2). Besides first 
order logic, logics with the Beth property include classical ( 2 ind intuitionistic) 
propositional calculus, or the modal logics K, K4 and S5. 

Note that for GF, and the modal logics, as long as we consider finite sets of 
sentences E it does not make a difference for the Beth property whether we are 
in the classical context of not necessarily finite models, or regard finite models 
only. For, as these logics have the finite model property, a finite set of sentences 
E implicitly defines a relation over finite models if and only if it does so over all 
models. The same for explicit definitions. 

Description Logics Description logics were designed for the purpose of knowledge 
representation. Roughly speaking, a description logic starts from some set of 
primitive concepts (which are unary predicates) and roles (binary predicates). 
The logic then specifies (or defines) complex concepts out of these primitives 
and makes assertions about these specifications, mostly in terms of modally 
expressible dependencies between concepts via roles. E.g., the logic cem assert 
that a certain object, or all objects related to it via a designated role, belongs to 
a certain concept. Although they originated from entirely different backgrounds, 
there is therefore a close correspondence between description logics and modal 
logics. For example the description logic ACC is nothing but a syntactic variant 
of the basic multi-modal logic K„ [Sch91j. Hence the gueurded fragment can also 
be seen as a gener 2 d framework for description logics, which may express more 
than the ordinairy modal dependencies. In particular, it may go beyond the built- 
in zirity restriction of modal logics, so that one cem speak of higher-arity concepts 
amd roles. The interested reader is referred to [Gra98] for a proposed of GF as a 
framework for description logic and for further references. In the description logic 
context, the Beth property seems particularly desirable as it gueuremtees explicit 
definability of concepts (eind roles): e.g., concept specification in the framework 
of GF is closed in the sense that ainy concept that can implicitly be characterized 
can actually be defined explicitly within the logic. 
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Outline of the Paper Ever since 1956 when W. Craig gave an alternative proof 
of the Beth theorem for first order logic via his interpolation theorem, these 
two properties are almost always studied simultaneously. This paper forms no 
exception. In Section 3 we will prove a certain interpolation property for GF 
from which the Beth property for GF will be derived in Section 4. Even better, 
both these properties will be shown to hold for each of the n-variable fragments 
of GF individually, in the presence of at most n-ary relations. 

2 Preliminaries 

In this section we will collect all the necessary preliminaries. It also serves to fix 
notation and terminology. 

Convention 1 By a language C we will henceforth understand a relational first 
order language without function- or constant symbols. Besides variables, and 
the pcirentheses ), (, we consider as logical symbols the connectives A, the 
existential quantifier 3 amd the identity symbol =. H 

Notation 1 Models aire denoted by calligraphic letters like M, and their 
respective universes by M, N, etc. The interpretation of an n-ary predicate R 
in the model M (notation: I-^{R) C Af”) is defined as usual. Moreover, we 
extend this terminology to sets. That is, for X C M we write X e {R) if the 
elements of X are i?-related, in any order or multiplicity. E.g., if R is ternary and 
{n,m,n) G I'^{R), then {m,n} £ I-^{R). For a model A4, mi, . . . ,m„ G M and 
a formula ip with free variables among {ui, . . . , u„}, we write M ^ ¥>[mi, . . . , m„] 
iff each assignment which maps Uj to satisfies ip in M.\i E \s & formula (or a 
set of formulas) and ip a formula, then E ^ ip denotes the consequence relation. 
That is, i7 ^ V* iff assignment into a model M which satisfies (all formulas 
in) E also satisfies ip. In particular, ip ^ ip is the same as to say that ip ip is 
valid, i.e., \= ip ip. For any formula ip, by free{ip) we denote the set of free 
variables occurring in ip. By (read; the language of ip) we denote the set of 
relation symbols occurring in ip. 3 



2.1 Defining the Guarded Fragment: Syntax 

Definition 1 (Guarded formula). Let £ be a language. The atomic C-formulas 
(or, £-atoms) are of the usual form: 

1. Vi =V 2 , for variables V\,V 2 . 

2. Pui • • • i;„, for n-ary P £ C and v£uiables vi,...,v„, not necessarily distinct. 
The guarded C-formulas are defined by induction as follows. 

1. Any atomic ^-formula is a guarded ^-formula. 

2. If 1^, V* are guarded ^-formulas, then ip f\ ip and -up are guarded Zl-formulas. 
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3. Let V be a finite, non-empty sequence of variables, ‘tp a guarded ^-formula, 
and G an £-atom such that /ree(^) C free{G). Then 3v{GAip) is a guarded 
^-formula. In this case, the atom G is called the guard of the quantifier. H 

Note that as a dual of guarded existential quantification we also get guarded 
universal quamtification, of the form Vti(G -t ip). 

A typical example of a guarded formula is the one expressing symmetry of a re- 
lation: 'ifviV 2 {RviV 2 -^Rv 2 Vi). On the other hand, the formula WviV 2 V 3 {{RviV 2 A 
Rv 2 V 3 )->RviV 3 ), which expresses the transitivity of the relation R, is not guarded, 
as Rv\V 2 a RV 2 V 3 is not a guard. 

Remark 1. For readers famili ar with [ABN98] we note that contrary to that 
paper. Definition 1 allows for identity atoms as gucirds. Since this issue does not 
affect decidability nor interpolation, we decided to concentrate on this slightly 
more general fragment. This also places us in line with [Gra97]. H 

Guarded formulas are obviously first order formulas. The fragment of first order 
logic consisting of guarded formulas is called the guarded fragment (GF). We 
understand by GF„,n e w, the fragment of GF that consists of formulas whose 
variables (free or bound) are among The collection of formulas in 

GF„ which are built up from at most k-axy relation symbols is denoted by GF*. 



2.2 Semantic Characterization of the Guarded Fragment 

Similar to modal logics, the guarded fragment can be semantically an 2 ilyzed via 
a suitable notion of bisimulation. This has been done in [ABN98]. Here we will 
recapitulate as much of these results as needed for the purposes of the present 
paper. 

Definition 2 (live set). Let Z be a finite subset of a model M. The set Z is 
called live in Af if Z is either a singleton, or there exists a relation R and a set 
X such that Z C X € I-^{R). In this case we will say that Z is R-live (in M). 
For any language C we use the notation Z M to denote that Z is £-live in 
M. That is, Z is H-live in M for some R £ C. We will omit the subscript C if 
it does not cause confusion. H 

Note that by definition subsets of live sets are again live. 

Below, by a finite partial C-isomorphism we mean a finite one-to-one partial map 
between two models which preserves the relations in £ both ways. By the image 
of a map / : X — > Y we understand the set {/(x) : i € X}, and we refer to X 
as its domain. 

Definition 3 (Guarded bisimulation). A guarded C- bisimulation between 
two models M aind A/” is a non-empty set F of finite partial £-isomorphisms 
between M and H such that for ziny / : X — > Y e F the following hold: 
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1. For any Z M there is a g £ F with domEun Z such that g and / agree 
on the intersection of their domains. (The zi^condition) 

2. For einy W M there is a 5 6 F with image W such that g~^ and 

agree on the intersection of their domains. (The zo^condition) H 

Guarded bisimulations are defined in such a way as to preserve guzurded formu- 
las. That is, for a guarded /2-formula (p with free variables aimong {ui , . . . , u*}, a 
guarded £-bisimulation F between models M, Jif, an f e F, and mi, ... , m* 6 
dom{f) it is the case that M |= y>[mi, . . . , m*] A/" |= ¥>[/(mi), . . . , /(m*)]. 

This can be shown by a straightforward induction on the complexity of ip. The 
zig- and zag-conditions precisely take czire of the induction step for existential 
quantification. Indeed, preservation under gucirded bisimulations is the charac- 
teristic feature of GF, in the sense of the following Characterization Theorem 
from [ABN98]: up to logical equivalence, GF precisely consists of those first order 
formulas that are preserved under guarded bisimulations. 

Note that in the definition of a guarded bisimulation that can be found in 
[ABN98], the above role of live sets is taken over by what ABN call guarded 
sets. These are subsets .Z of a model M such that Z £ 7^(i?), for some re- 
lation R. Mutatis mutandis, all arguments in [ABN98] cind in particular the 
characterization theorem also apply to guarded formulas and guarded bisimu- 
lations as defined in this paper. Note e.g., that a guarded formula of the form 
3v{v = V A -iPv) which is not guarded in the ABN-sense, is preserved under 
guarded bisimulations in our sense by virtue of the fact that singletons are live. 

For further use we exhibit, for any relation R, a formula Xr[vi, ... ,vi) which 
defines the set of iZ-live f-tuples. More precisely, for models M and mi,..., mi 6 
M: M \= Xr{vi,. . . ,ui)[mi, . . . ,mj] iff the set {mi, . . . ,mi} is iZ-live in M. 

Let s be the arity of R. Let e range over all complete equadity types in 
variables v\,. . .,vi. We regard e both as a quantifier-free formula e(T;i, . . . ,vj) 
in the empty vocabulary and as an equivalence relation on the set {!,...,!} 
according to (j,i) £ e iff e {= Uj = Vj. Let p: {!,..., s} {1, . . . ,f -t- s} be 
a mapping that is onto {!,..., /}/e, i.e., for every j £ {!,...,/} there is some 
i £ (1, . . . , s} such that p{i) is in the same e equivalence class with j. Put, for 
any such pair of e and p, 

7e,p = e(ui, . ..,vi) A 3v(Rvp(i) . . . Vp(^) A true), (1) 

where v consist of those Up(j) for which p{i) > I (if there are such; else no 
qu 2 intification is necessMy and 7 *,^ is actuedly atomic). The desired formula 
Xr{v\, . . . ,vi) is obtained as the disjunction over all 7 e,p for matching pairs 
(e,p). 

For any finite language C we further obtain a formula ... ,vi) defining 

the set of £-live /-tuples by putting 

Xc{vi,...,vi) ={ /\ Vi = Vj)V y Xr{Vi,...,Vi), 

ReC 



( 2 ) 
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where the first disjunct refiects the fact that all singleton sets are regarded as 
live (namely, as guarded by equality). 

We finally note that 7 e,p is equivalent to a formula in GFmax(j,«) • We conclude 
that for every finite language L which contains at most k-zxy relations and for 
any I < k we may assume A£(ui, . . . ,uj) e GF*. 

3 Interpolation for the Guarded Fragment 

As shown in [HM99], GF does not have the interpolation property. 

Theorem 1 (Failure of interpolation in GF, [HM99]). There exist sen- 
tences (p, € GFg such that ^ (p ip, without a guarded interpolant (in any 

number of variables). That is, there does not exist a guarded formula t? built 
up from relation symbols which occur both in p and ip such that ^ -> t? and 

\=d Ip. 

To see why this property fails for GF, it is useful to compare it to the interpo- 
lation property studied in modal logic. In modal logic, the interpolant is usually 
confined to proposition letters in the common Icinguage but may contaiin non- 
shared modalities. Strengthening the requirement on the common language to 
also include common modalities results in a much stronger interpolation prop- 
erty. [Ben99] shows this property for the basic multi-modal K. [Mar99] gener- 
alizes this result to Sahlqvist axiomatizable multi-modal logics whose axioms 
correspond to universal Horn frame conditions which do not specify any inter- 
action between the different accessibility relations (e.g., bi-modal S5). When we 
have interaction, the stronger interpolation property is easily lost as the follow- 
ing ex£unple from [Ben99] shows. Consider the multi-modad logic defined by the 
axiom Oip -><> 2 p. This logic does not have the stronger interpolation property. 
For, in this logic 0\True -^OzTrue is a theorem whereas the only formulas 
in the common language (in the strong sense) are True and False, which axe 
obviously not interpolants. However, this logic does have the usual interpolation 
property (cf. [MV97, Corollary B.4.1]). 

Thinking of guarded formulas as translations of modad formulas, we see that The- 
orem 1 formulates exactly this stronger version of interpolation, where ‘common 
language’ means the set of common relation symbols, which includes both the 
relations which axe translated proposition letters and the relations that axe ob- 
tained in translating the modalities. This suggests to consider an alternative 
interpolation property for GF that more closely resembles the one that is usu- 
ally studied in modal logic. For this we will distinguish occurrences of relation 
symbols as guards from other occurrences. 

Notation 2 For any guarded formula p we understzmd by jCg((^) the set of 
relations that occur in as the guard of some quantifier. 

Note that the relations in Co(^) may at the same time occur in p at non-guard 
positions. For example, in v? = 3x{Px A Vy(Sxy-^Py)), the relation P occurs 
both as a guard emd as a non-guard. 




280 Eva Hoogland, M^ta^ten Marx, and Martin Otto 



Definition 4 (Guarded £i/£ 2 -bisinmlation). Let £i C £2 be languages. A 
guarded £i/C 2 - bisimulation between models M amd Af is defined as a non-empty 
set of finite partial £ 2 -isomorphisms between with zig- and zag- condition 

stipulated for £i-live sets only. H 

This type of bisimulation supports a characterization theorem for that fragment 
of GF in which only £i-predicates may be used as guards, but all predicates in C\ 
and £2 may occur at non-guard positions. Analogously to the characterization 
theorem for GF, the following characterization can be shown, using [HM99, 
Proposition 3.11]. 

Proposition 1. Let £1 C £2 he languages which contain at most k-ary relation 
symbols. A first order sentence is preserved under guarded £1 / C 2 -bisimulations 
iff <p is logically equivalent to an £2 -sentence ip G GF^ with jCg(</>) S • 

Notation 3 For models M,Af, and mi, . . . ,m(t G M, n\,. . . ,n* G N, we write 
M,mi--mk =£^’’ A/",?!! •••nfc, if Ad 1= 0[mi,...,m*j iffA/" 1= 0[ni,...,njfe], 
for all £-formulas 0 G GF*. H 

Recall that for ainy formula d, by £,> we denote the language consisting of all the 
relation symbols occurring in d. The theorem below states that GF* (and hence 
GF) has interpolation provided an interpolaint for ^ ^ is allowed to contain 

relations in Ca{ip) £g(v>) which are not necessarily in the common language. 
Modally speaking, an interpolant may use non-shared modalities. 

Theorem 2 (GF* has interpolation w.r.t. non-guard occiurrences). Let 
k G uj. For any q>,ip G GF* such that ^ (p ip, there exists a d G GF* such 
that 

1. Co C (£y n £^) U £(3 (v)) U Cg(,!,), and 

2. ^ ip -¥ d and |= 

Proof of Theorem 2; We will show ‘amalgamation via bisimulation’ in the same 
spirit as e.g., the proof of interpolation for the basic modal logic K in [ABN98, 
Theorem 2.5). Its main construction is a deviation of a fairly standard amalga- 
mation method as can be found e.g., in [Mar95] and [Nem85j. 

For the course of this proof, let A: G u; be fixed but arbitrary. Consider (p,ip G GF* 
such that \= ip Ip. For brevity, write £ for (£^ n £^) U £g(v>) U £g(^)- Let 

&^= {d G GF* : Co Q C \= ip t?}. Our aim is to show that 
Claim 1 0 (= V*. 

Note that in the formulation of this claim free variables play the role of individ- 
ual constants. By compaictness, it then follows that ip is impfied by some finite 
conjunction d of formulas in 0. Note that d is again ^ln £-formula in GF*. Hence 
d is an interpolant for ip, ip, cmd we eire done. 
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To prove Claim 1, consider an arbitrary U £-model A/", and 6i, . . . ,6* € N 
such that M t= . ■•,&*], for every i9 e 0. Our task is to show that |= 
ip[h,---,bk]. 

We first note that there exists some U £-model M and ai , . . . , a* £ M 
such that M [= i^[ai, . . . ,afc] and Ad,oi • • -a* M,bi - - hk. For, reason- 

ing to contraposition, assume such M, a\,...,ak do not exist. In that case, 
# e GF* : C £ & A/' (= i?[6i, . . . ,6*]} [= ->¥>. By compactness it follows 

that 1= yj ~’A^ 0 ) for some finite conjunction of formulas in Therefore 
A ^0 S 0, whence M \= ^ f\ #o[^i , • • • > f»*]- Quod non. 

By passing to u-saturated elementary extensions of M and A/^, we may w.l.o.g. 
assume that M., Af are w-saturated. As shown in the proof of the Characteri- 
zation Theorem for GF in [ABN98, Theorem 4.2.2], the relation of guarded £- 
equivalence between w-saturated structures induces a guarded £-bisimulation. 
The same is true for the relation of if £ contains at most A:-ary rela- 

tions. Hence our assumption in particular implies the existence of a guarded 
£-bisimulation between Ad, A/ which links (oi , . . . , a*} and (6i , . . . , 6^). 

The aim of the rest of this proof is to amalgamate the models A4 and Af in 
such a way that we can define guarded Ca^^)/Ctp- (resp. bisimula- 

tions between the amalgamated model and M (resp. Af) which, when composed, 
will map (oi, . . . , afc) to (6i, . . . , 6*). Chasing the resulting diagram and using the 
fact that tp ^ Ip will yield the desired conclusion that Af |= ‘>p[bi, , bk]. This 
will be made precise in the sequel. 

We define a model over the set MN consisting of pedrs {m,n) S M x N whose 
components cannot be distinguished by £- formulas in GF*. The interpretation 
of the predicates is read off coordinatewise. More precisely, 

- MN {{m,n) £MxN : M,m =2’'* Af,n}. 

- For /-ary R £ C,p, set ((mi,ni), . . . , (mj,nj)) G iff 

• AA,mi - mi Af,ni ■ ■ -ni, 

(i.e., the rrii and are not only pairwise equivalent but jointly so), and 

• {mi,..., mi) £ I-'^iR). 

- The interpretation of relations in £^ is defined similarly. 

Note that the interpretation of relations in the common language is well-defined 
thanks to the requirement on live subsets of A4Af to be jointly £-equivalent. The 
upshot of amalgamating our models into a product is that we can take projection 
functions as building blocks for the desired bisimulations. This is the purport 
of the following lemma, where Wi, i = 1,2, denotes the projection function to 
the i-th coordinate. Define F,,. {tti : X — > Y : X cL A4Af oi X = 
{(ai,6i), . . . , (ait,6*)}}, where the elements m, . . . , a* £ M,bi, . . . ,bk £ N are 
the ones picked at the very beginning of this proof. 
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Lemma 1 (Amalgamation lemma). The set is a guarded 
hisimulation between MM and M . The analogously defined set is a guarded 
Co -bisimulation between MM andM. 

Before proving the lemma, let us first demonstrate its use and finish the proof 
of Claim 1. Recall that the model M and the sequence ai,...,a* £ M were 
chosen in such a way that M ^ <p[ai, . . . ,Ofc]. We took care to include tti ; 
{(ai,6i), . . . , (afc,6t)} — > {ai, • - • ,a*} in . Since y is invariant under guarded 
Co{>fi) /-C(^-bisimulations, it follows from the amalgamation lemma that MM j= 
<p[(ai ,&*)>•••, (ofc, By assumption then MM |= ip[{ai , 6i>, . . . , (a*, 6*)]. Since 
we included 7T2 : {{ai,bi), . . . ,{ak,bk)} — > {i>i, • • • in F„^, the second part 
of the amalgamation lemma allows us to conclude that M |= ip[bi , . . . , 6*]. 
Q.E.D. Claim 1. 

Now we turn to the proof of the amalgamation lemma. 

Proof of Lemma 1: We will prove the first part of the lemma concerning F.^^. 
The second statement about F„^ can be shown similarly. 

is obviously non-empty. Let tti : X — ^ Y 6 ■ Then X = {xi 

for some I <k, and M,’!Ti(xi) ■ ■ ■ 7Ti(xi) =2*^* M,tt 2 {xi) ■n 2 (xi). By construc- 
tion this implies that for any n-ary R € and any (ij, , . . . , ) 6 X" it is the 

case that {xi^,...,Xi„) € iff (7Ti(xji 7ri(x<„)) £ I-'^{R). In other 

words, 7Ti is a partial /^^-isomorphism. 

For the zag-condition, consider tti : X— ^T£F,, , and W C‘ji M, for some R £ 
'Cg(vj) • As above, X = {ij,..., a:/}, for some/ < k, and M,7 Ti(xi) ■ ■ ■ 7ri(xi) =2^‘ 
M, 7T2 (xi ) • • • 7T2 (xi ) . Recall that the relation =2''^* forms a guarded £-bisimulation 
between M and M- We saw that the partial map / from M io M which maps 
TTi (x) to 7T2 (x), for X £ X, is an element of this bisimulation. By the zig-condition, 
there exists a partial £-isomorphism g in this bisimulation with domain W which 
agrees with / on the intersection of their domains. Let W* = {{w,g{w)) : w £ 
W} C'jij MM. Then W" is the desired pre-image for W. As the zig-condition is 
trivially fulfilled, this completes the proof. 

Q.E.D. Lemma 1. 

Q.E.D. Theorem 2. 

Corollary 1. GF has interpolation w.r.t. non-guard occurrences. 

4 The Beth Theorem for the Guarded Fragment 

In general, an important reason to investigate the interpolation property is that 
it can be seen as an intermediate stage in proving the Beth definability theorem. 
It will be shown that the limited form of interpolation expressed in Theorem 2 
still serves this purpose for GF. 

Let Co be a l8mguage and R £md R' distinct relation symbols of the same arity 
that are not in Cq. Let £ = £o U {ii}. Let 27 be a set of guarded sentences in 
the language £, and let 27' denote the result of renaming R to R' in 27. 
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Theorem 3 (Beth Theorem for GF*). Let Co, C, R, R' , S and E' be as 
above. Let k & lj be such that C GF*. If E implicitly defines R, i.e., if 

E, E' f= 'iv{Rv o R'v), then there exists some ^p{v) e GF* in the language Co 
such that E ^ 'iv{Rv o (p{v))- This formula ip is called an explicit definition 
for R relative to E. 

Proof of Theorem 3: Let all data be as in the theorem, and assume that 

E,E' Y='^v(Rv R'v). (3) 

We first show that (3) implies that any i?-live set in a model for E is £o-hve. 

Claim 2 Let M be a model of E, and let Y M. Then Y M. 

Proof of Claim 2: Let At be a model of E, and let Yo M.. Reasoning to 
contraposition, suppose Yo ^£0 We will derive a contradiction from this. 

Let 2 denote the two-element universal £-model with domain {0,1}. That is, 
s € I-{P)i for every /-ary P £ C and every s G {0,1}^ Let Mx2 denote 
the usual product model. Writing tti for the projection on the first coordinate, 
this definition entails that s 6 I^^{P) iff (7ri(si), . . . , ttj (s/)) e (P), for all 
s € (M X {0, 1})* and /-ary P £ C. As the reader can easily verify, this in its turn 

implies that Pi {tti : X — > Y : X Af x 2} is a guarded £-bisimulation 
between A1 x2 and Af. Since A1 ^ P, we conclude that Mx2\^ E. 

Our aim is to modify the interpretation of P on Afx2 in such a way that 
the resulting structure is again a model for E, contradicting the fact that E 
implicitly defines R. For this, we consider Xq Yq x {0}. Let (Af x 2)' be the 
model which differs from Afx2 only in that Xo ^ I^-^^'{R). We claim that 

F{ {tti : X — > Y : A cjj. (Af x2)'} is a guairded £-bisimulation between 
(Afx2)' and M. 

F{ is certmnly not empty. Consider some tti : X — > Y in F{. If Xo 2 A, 
then £-relations are obviously preserved by tti in both ways. But we changed 
the interpretation of R such that Aq is not P-live in (Af x2)'. As Yo is not Co- 
live, it follows that Aq is not £o-hve in (Alx2)' either, and hence no superset 
of Ao is the domciin of some tti £ F{. 

The zig-condition needs no comment. For the zag-condition, consider some 
7Ti : A — >• Y in P(, and W Af. If W C y, the condition is trivially fulfilled. 
If not, then n W\ can be extended in at least two ways to a set Z for 

which TTi [Z] = W . For W ^Yq, either one of these two extensions constitutes the 
domain of a projection in F[ fulfilling the zag condition for -ki,W. For W ~Yo 
any extension other than Aq can be taken as such. 

This shows that (Af x 2)' |= E. Summarizing, we see that Af x2 ^ A, (Af x2)' \= 
E but I-^^(R) ^ /(■^^'(P). This contradicts the fact that E implicitly defines 
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R. We conclude that Yo is indeed £o-live, as was to be shown. 

Q.E.D. Claim 2. 

By compcictness we may assume 17 to be a single sentence, 3uid Cq finite. Assume 
R is /-ary, and let Ao(ui, . . . , vj) be the canonical £o-formula in GF* saying that 
the set {vi,...,vi} is £o-live (cf. page 278). For brevity, we write Aq. For all 

£-models M we define Rq = {m € M* : M \= R A Ao[m]}. Hence for every 
£o-niodel M,fh £ M‘, and every interpretation of i? in A4: {M,R) ^ i?A Ao[m] 
iff {M,Ro) t= ii[m]. Note that by Claim 2, I-^{R) = Rq, for models M of S. 
Let i7o be the result of replacing in E any occurrence of R by the conjunction 
A Aq. It is now straightforward to check the following: 

(i) i7o is preserved under guarded £o/£-bisimulations. Hence, by Proposition 1, 
i7o is equivalent to an ^-formula F in GFj^ with Cq^p) Q £o- 

(ii) i7 ^ i7o, by Claim 2. 

(iii) For every £o-niodel M, and every interpretation of i? in Af: if {M, R) ^ Eq, 
then (M,Ro) \= E. 

Let Eq be the result of replacing R by R' in Eo- It follows from (3) and (iii) that 

EqARaXo\=E'o^R'. (4) 

For, consider an £o U {H, H'}-model {M,R,R') and some fh £ M‘ such that 
{M,R,R') f= (Eo A ii A Ao A i7o)[m]. We have to show that (M,R,R') )= 
ii'[m]. It follows from (iii) that (M,Ro,Ro) ^ (27 A ii A 27')[m]. By (3), then 
(M,Ro,Ro) 1= ii'[m]. Hence, certainly, (M,R,R') |= R'[fh]. 

Replace 27 q and 27g in (4) by £o-guarded formulae F eind F' eiccording to (i). 
We then apply Theorem 2 to obtain, as an interpolant for (4), a formula d in 
GFjt such that C Co and (27 q A ii A Ao) ^ i? and i? j= 27 q R' . Applying 
(ii) and Claim 2, we find that 27 A ii |= i?. Renaming R' back into R in the 
second implication and one more appeal to (ii) gives us that i9 ^ 27 — ii. Hence 
27 ^ ii and i9 provides the desired explicit definition of R relative to 27. 
Q.E.D. Theorem 3. 

Corollary 2. GF has the Beth definability theorem. 

Remark 2. Theorem 3 shows that the guarded finite variable fragments behave 
much nicer w.r.t. definability than the full finite variable fragments of first order 
logic (FO). For not only does the Beth theorem fail for any n- variable fragment 
of FO, n > 2, it fails drastic 2 illy. In fact, even F0| (using the terminology FO* 
for fragments of FO similar to our use of GF* for guarded fragments) does not 
have the Beth property. For more information, the reader is referred to [Sai90l 
or [Hod93]. H 
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Abstract. The guarded fragment of first order logic, defined in [1], has 
attracted much attention recently due to the fact that it is decidable 
and several interesting modal logics can be translated into it. Guarded 
clauses, defined by de Nivelle in [7], are a generalization of guarded for- 
mulas in clausal form. In [7], it is shown that the class of guarded clause 
sets is decidable by saturation under ordered resolution. 

In this work, we deal with guarded clauses that are Horn clauses. We 
introduce the notion of primitive guarded Horn clause: A guarded Horn 
clause is primitive iff it is either ground aind its body is empty, or it 
contains exactly one body literal which is fiat and linear, and its head 
literal contains a non-ground functional term. Then, we show that every 
satisfiable and finite set of guarded Horn clauses S can be transformed 
into a finite set of primitive guarded Horn clauses S' such that the least 
Herbrand models of S and S' coincide on predicate symbols that occur 
in S. 

This transformation is done in the following way: first, de Nivelle’s sat- 
uration procedure is applied on the given set S, £ind certain clauses are 
extrcicted form the resulting set. Then, a resolution betsed technique that 
introduces new predicate symbols is used in order to obtain the set S' . 
Our motivation for the presented method is automated model building. 



1 Introduction 

The guarded fragment, first described in [1], is a fragment of first order logic with 
very interesting properties: it is decidable, each of its satisfiable formulas allows 
a finite model, and many modal logics can be translated into it. Transformation 
of guarded formulas into clausal form has inspired the class of guarded clauses. 
Decidability of sets of guarded clauses by saturation under ordered resolution 
has been shown in [8]. 

Guarded clauses form a class of clauses with very strong syntactic restrictions 
on variable occurrences: every literal L of a guarded clause must contain the same 
variables (unless it is flat), emd it must be covering, which means that every non- 
ground functionad subterm of L must contain aJl the variables of L. But their 
name comes actually from the condition that a guarded clause must contain a 
literal in which all the vEiriables of the clause occur at depth 0 (thus as arguments 
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of the literal), and which contains no deeper variable occurrences. This hterjil is 
called the guard of the clause. 

In this work, we consider guarded clauses that are Horn. A guarded Horn 
clause is called primitive if it either contadns only a positive ground litereil, or 
has the form P(xi,. . . ,x„) where the x< are pairwise different 

variables, and at least one ti is functional and non-ground. We will show that for 
every satisfiable and finite set of guarded Horn clauses S, there is a finite set of 
primitive guarded Horn clauses S' such that in the least Herbrand model of S', 
the predicate symbols occuring in S are interpreted in the same way as in the 
least Herbrand model of S. Such a set S' can be foxmd by a transformation of S. 
This transformation is done in several steps; first, the given set S is saturated 
using de Nivelle’s decision procedure. Then, certain clauses are extracted from 
the resulting set, which are transformed into primitive guarded Horn clauses. To 
do this, a resolution-based technique which introduces new predicate symbols is 
used. 

Our motivation for the transformation of guarded Horn clauses is automated 
model building (see [11, 10, 2, 5,9,4]). This subfield of automated deduction deals 
with the problem of finding (the description of) a model for a given satisfiable 
logical formula. This model must be expressed in a form 2 dism that allows oper- 
ations like the evaluation of arbitrary clauses or even arbitrary formulas. The 
usefulness of a model (counter-example) is evident: it does not only show that 
a formula is satisfiable (not valid), but also provides interesting semantic infor- 
mation on the formula. For example, it can serve to refine resolution in theorem 
provers, or it can help a human user to understand why a theorem cannot be 
proved (in this case, the model/counter-example must be expressed in a formal- 
ism that is “understandable” for humam users). 

By now, no method exists that allows to build models for satisfiable sets of 
guarded clauses automatically. Such a method should also be useful to build 
models for formulas of modal logics that can be tr 2 mslated into the guarded 
fragment, thus providing the same advantages to those logics as model building 
for first order logic has. Since primitive gucirded Horn clauses have a relatively 
simple structure (they remind in some way of tree automaton rules), they seem to 
be an appropriate formalism to represent Herbrand models for guarded formulas. 
Models expressed in this way are likely to be understamdable for human users. 
On the other hand, evaluation of arbitrary clauses in interpretations represented 
by primitive guarded Horn clauses is still an open problem. 

This article is structured as follows: we first review some notions to settle 
our notation, 2 md we recall the decision procedure by de Nivelle. In Section 3, 
we discuss the transformation of guarded Horn clauses, and conclude with some 
final remarks in Section 4. 



2 Preliminaries 

We assume the reader to be familiar with the standard logic notions as term, 
formula, clause, Herbrand interpretation, etc. 
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For a literal L, we denote by args(Z,) the n-tuple of arguments of L. 

Clauses that contain at most one positive literal are called Horn clauses. We 
often write a Horn clause C = {-'B\ ->B„, H} in the form B\,. .. ,B„ H. 
In this case, we consider a clause as a list, i.e. we assume an order on its literals. 
We call the literal H the head of the Horn clause C, and the set of literals 
{-iHi, . . . ,->Bn} the body of C. We write head(C) resp. body(C') to denote the 
head resp. the body of the Horn clause C. Clauses that contain only negative 
(positive) literals are called negative (positive). 

We say that a term t occurs in a literal L (or inversely that L contains t) iff 
there is a term s G args(L) such that t is a subterm of s. A term t occurs in a 
clause C iff t occurs in a literal L e C. 

The binary resolution rule between two clauses is defined as usual. We call 
the clause in which the negative literal that is resolved upon occurs the negative 
premise, and the clause in which the positive literal occurs the positive premise. 

We denote by \w(e) the n-tuple of pairwise different variables that occur in 
the expression e, in the order of their first occurence (w.r.t any fixed traversal 
of the tree that corresponds to e). 

Throughout this article, if not stated otherwise, we will mean finite set of 
clauses if we write set of clauses. Furthermore, we will always assume that for 
two different clauses, there is no variable that occurs in both of them. 

Let <S be a set of clauses over the signature {T,V). Then, the Herbrand base 
of S', denoted by HBs, is the set of all ground atoms over {T,V). 

We will identify a Herbrand interpretation I for a clause set S with a subset 
of HBs (a ground atom is true in I iff it is contained in I). Ms denotes the 
C -least Herbrand model of the set of Horn clauses S. 

Let be a set of non-negative Horn clauses. The immediate consequence 
operator of S, denoted Ts, is defined in the following way: for a set of ground 
atoms Q, 



Ts{G) — {A I 3C = (Bi ,... ,B„ H) ^ 5,3 ground substitution cr 
with var(C') - dom(<r) ; A = Ha and Bicr G G). 

Ms is the C-least fixpoint of Ts, and it can be obtciined in w iterations of 
Ts stcirting with the empty set 0. Instead of Tg{9), we will simply write Tg. 

Definition 1. Let 5 be a set of non-negative Horn clauses and A be a ground 
atom such that A G Tg. If for a clause C — B\,. . . ,B„ H E S, there is a 
ground substitution a with dom{a) = var(C) such that Bi<r G Tg for 1 <i <n 
and A = Ha, we say that A is generated by C. 

If for a clause C a literal A G exists such that A is generated by C, 

we say that C is cictive in 5 (note that C is not necessarily contained in 5). 

If S is clear from the context, we omit it. If <S is a set of Horn clauses from 
a decidable class, we can decide for each clause C G <S if C is active: this is the 
case iff the empty clause can be derived from S U {body(C7)}. 
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Definition 2 . For a term t, V 8 irdepth(t) is defined in the following way: If t is 
ground, then vardepthft) = — 1 . Else, if t is a variable, then vardepth{t) — 0 , else 
t = f{ti,. . . , tn), and vardepth{t) = 1 + max{vardepth{ti), , vardepth{tn)) . 

The vardepth of an atom is defined to be the maximal vardepth of its argu- 
ments, and the vardepth of a literal is the vardepth of its atom. The vardepth of 
a clause is the maximal vardepth of its literals. 

Based on vardepth, we define the following simple ordering on literals: 

Definition 3 . Let L\ and be literals. Then L\ L2 iff vardepth{L\) > 
vardepth{L2) ■ 

A literal L is flat if all of its arguments are variables. It is weakly flat if all of 
its arguments are either variables or ground terms. A literaJ L is weakly covering 
if every non-ground functional subterm of L contmns till the variables in var(L). 
The proofs for the foUowing theorems can be found in [ 7 ]: 

Theorem 1 . Let Li and L2 be two unifiable weakly covering literals with mgu a, 
andK = L\a. ThenK is weakly covering, and vardepth{K) < max{vardepth{Li), 
vardepth{L2)) ■ 

Theorem 2 . Let L\ and L2 be two weakly covering literals with var[L{) C 
var{L2), and vardepth(Li) < vardepth{L2), and 6 a substitution such that L2O is 
weakly covering. Then L \6 is weakly covering, and vardepth{L\<j) < vardepth{L2o)- 

Now we will show the following lemma: 

Lemma 1 . Let Li and L2 be two variable disjoint, unifiable weakly covering 
literals with vardepth(Li) < vardepth(L2). Then there exists an mgu a such that 
var{Li) C dom{a) and for all x >-¥ t Q a, 

- if X & var{Li), then var{t) C var{L2), and 

- if X & var{L 2 ), then t is ground ort^ vor^Lj). 

Proof. Let 0 be an mgu of L\ and L2. Clearly, 9 can map variables from L2 
only to other variables or to ground terms; otherwise, L20 would have a greater 
vardepth than L2, which would contradict Theorem 1 . H 9 — {x y} U O' with 
X 6 var(L2) and y G var(Li), the substitution { 9 {y i-> x}) U {y x} is also an 
mgu of Li and L2. In this way, we can “reverse” all the pmrs in 9 that map a 
variable in var(L2) to a variable in var(Li). Let a be the result of this reversing 
of all such pairs. 

Now suppose there is a variable x such that x G var(Li) and x ^ dom(ff). 
Then a functional term t exists such that t = ya with y G var(L2) and x G var(t). 
But this is not possible. 

Finally, since all variables in var(Li) occur on the left hand side of the pairs 
in a, none of them can occur on a right h2ind side. □ 

Remark: It is easy to see that we can find the mgu as in the above lemma 
simply by applying the standard, rule based unification algorithm with L\ as first 
and L2 as second argument. We will denote the mgu of Li and L2 computed in 
this way by mgu(Li,L2)- 
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Definition 4. A clause C is guarded iff 

1. every literal L E C is weakly covering, 

2. if C is not ground, then there is a negative literal G E C (the guard) such 
that vardepth{G) = 0 and var{G) = var{C), and 

3. if for a literal L E C, vardepth(L) > 1, then var(L) = varfC). 

The proof for the following lemma can be found in [7]; 

Lemma 2. IfC is a non-ground resolvent of clauses C\ and C 2 , then C contains 
no ground terms that are not in C\ or C^- If C is a resolvent of a ground clause 
Cl and a non-ground clause C 2 , then depth(C) < max{depth{Ci),depth(C 2 ))- 

Definition 5. A guarded Horn clause is called primitive if it is ground and its 
body is empty, or it has the form P(xi , . . . ,x„) Q(ti, • . . ,tm) where Xj ^ Xj 
if i 7^ j and 1 < i,j < n, and vardepth(Q(ti, . . . , tm)) > 0. 

In [8], it is shown that finite sets of guarded clauses C2in always be finitely 
saturated under ordered resolution and factorization using the following ordering 
C on literals of guarded clauses: 

For two literals Li and L 2 , Li (I L2 iff 

1. vardepth(Li) < vardepth(L2), or 

2. var(Li) C var(L2). 

The ordered resolution rule is defined in the standard way. In order to pre- 
serve refutational completeness, the binary factorization rule, defined as usual, 
is also needed. If a set of guarded clauses S is not satisfiable, the empty clause 
is contained in the saturated set obtzdned from S, Therefore we get a decision 
procedure for sets of gu£irded clauses. 

3 Transformation of Guarded Horn Clauses into 
Primitive Guarded Horn Clauses 

In this section, we will show that for every satisfiable set of guarded Horn clauses 
S, a set S' of primitive guarded Horn clauses exists such that Ms — Ms' P\HBs 
(the intersection is necessary because we introduce new predicate symbols). 

3.1 Saturation and Extraction 

As a first step, we will show that in a satisfiable and saturated set of guarded 
Horn clauses, already those clauses in which the vardepth of the head is strictly 
greater than the vardepth of any body literal generate the least Herbrand model. 

Theorem 3. Let S be a satisfiable set of guarded Horn clauses, and S be the 
closure of S under C -ordered resolution and factorization. Let 

S' = {Hi , . . . ,Bn H E S \ H Bi for 1 < i < n and 

Bi,. . . ,Bn H is active in <S}. 



Then, Ms = Ms' ■ 
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Proof. We clearly have that Ms = Mg, because aJI the clauses in S are logical 
consequences of the clauses in S. 

Ms’ C Ms '■ Since S' C S, we have that Ms' Q Mg = Ms- 
Ms Q Ms' ■ Let ^ be a ground atom that is true in Ms = Mg. 

Let S" = -^HESlH^tBi for l<i< n}. Then, the 

empty clause can be deduced from {->^4} U <S by C-ordered resolution. In this 
refutation process, all newly deduced clauses are negative ground clauses: S is 
^llready closed under resolution, and if we resolve a negative ground clause with 
a guarded Horn clause, we obtain again a negative ground clause. The reason 
for this is that the head of the Horn clause must be C-maximal according to the 
ordering restriction, and therefore contain all variables of C. 

So for the refutation of {->^4} U «S we only use clauses in which the head is 
C:-maxim 2 d. But those clauses are contained in S". Therefore, A € Ms". 

The set S" is closed under C-ordered resolution: Let Ai,. .. ,A„ K and 
B\,...,Bm H he two clauses in S". W.l.o.g. we assume that we can c- 
resolve on Ai and H. Let 6 = mgu(v4i,ff). Then we obtain the clause C = 
B\0, . . . , Bfn^: A 26 , . . . , AfiO —¥ K 6 . 

The clause C is contained in S because S" C S, and S is closed under c- 
resolution. Because according to Theorem 2, for 1 < j < n, K 6 A{0, and for 
1 < i < m, H 6 — A \6 Bid, we have that K9 is c-maximal in C, aind therefore 
C € S". 

Now, we will show that Ms" = Tg„ C T^, = Mg'. There is a natural 
number n such that A e T§„ . We will show by induction on n that A ^Tg,. 

- n = 1: A is a ground atom that is contained in S" , and because S" C A 
is trivially active in S. It follows from the definition of S' that A £ S' . So, 
Aer^, CT^,. 

- n > 1: let A be generated by a clause C G S" . Let C = A\,. . . ,Ak H. 
Then, there is a ground substitution 0 such that A = H9, and Aid G Tg, 7 ^. 
W.l.o.g. we assume that there is a natural number I such that v£irdepth(Ai) = 
vardepth(iJ) for 1 < i < /, and vardepth(Aj) < veirdepth(if) for I < i < k. 
According to the induction hypothesis, we have that Aid G Tg, . Let rrii be the 
smallest number such that Aid G , eind let Aid be generated by the clause 
Ci = Bi^i, . . . ,Bi^if. -> Hi. Since (7, G S', we have that vardepth(ff,) > 
vardepth(Hij) for I < j < ki and 1 < * < fc. Let m = max{mj}i_i. 

Then, for 1 < i < A:, there is a ground substitution ai such that Aid = Hiai, 
and Bijai G T^,' for 1 < j <ki. Let r = 0 U cri U . . . U ct* . Then, r unifies 
Ai with /fj for 1 < i < k. 

Because for 1 < i < /, the A< are C-maximal in C, and Aj can be unified 
with Hi, we can successively apply C-ordered resolution between C and Ci 
on Ai and Hi. Let 0 be the most genered substitution such that Ai<j> = Hi<f> 
for 1 < t < 1. Then, <f> is more general them r. Since the set of clauses S" 
is saturated under C-ordered resolution, it must contain the clause C = 

. . .,B\^ki<t>, ■ ■ ■ , . . . , Bi_k,^, Ai+i(p, . . .,Ak<j) H(f>. 

Let A = < i < 1,1 < j < ki}U {Ai|l <i < k}. 

First, let us assume that <j> is not ground. Then, for 1 < i < /, we have that 
vardepth(fl’fli) = vardepth(Aj(^) = vardepth(jyj0) > vardepth(.6jj(ji) where 
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1 < j (Theorem 2). Therefore, the var depth oi H<j> is strictly maximal 
in C. 

Finally, for each atom D e A, we have that Dt G T^. Since <t> is more 
general thain r, the atom Hr — H6 = ^ is generated by C. Therefore C is 
active in S and contained in S', and A € C Tg,. 

If 0 is a ground substitution, then 4> — t. Consider the negative clause 
C" = -<Bx,kiT , . • • , -'Bi^xT, ->Bi^k,T, ->Ai+xT, -‘AkT. This 

clause is false in Tg„, because Dt g Tg, C Tg„ for each D € A. Therefore, 
it is possible to deduce the empty clause from {C"'} U S" using C-ordered 
resolution. But then, it is also possible to deduce the clause {Hr} from 
S", because we obtain C from C" by adding the literal Hr. This literal is 
ground, so it is not greater than any litercd in C" , and we can apply the 
same resolution steps on C as on C". 

Because S" is closed under c-ordered resolution, it must contain Hr = A. 
A is trivially active in S. By definition ol S', A El S' . Finally, we have that 
AgtJ, cT^,. n 

3.2 Flattening of the Body Literals 

The second step is the transformation of a set of gueirded Horn clauses in which 
the head is strictly V„d-maximal into a set of guarded Horn clauses where all 
body literals are wealdy flat. 

We use a transformation similar to the unfolding operation known from logic 
program transformation: the principle is to replace a clause C by all possible 
resolvents with other clauses on a certain literal L £ C. The goal of this trans- 
formation is to decrease the vardepth of the body liter 2 ils of the present clauses. 
If we use standard resolution, this is not possible, since variables in L might be 
instantiated with functional terms. In the case of guarded clauses, the vEiriables 
in L must occur in all other literals of C, so the v^lrdepth of the literals in C 
different from L would increase. In order to avoid this, we have to perform a 
certain decomposition operation on clauses. 

This decomposition operation is based on the following observation: let C = 
Bx, ■ ■ ■ ,B„ -> H he a. guairded Horn clause, and L be a literal that is unifiable 
with H and such that vardepth(L) < vardepth(H), and a = mgu(L, H). Let 
6 = {x>-^t£(T\x£ var(L)}. Then we can decompose C into two guarded 
Horn clauses Cx = Bxa,.. .,Bncr -> Q{tx,- ■■Am) and C2 = Q(xx,^ ■ ■,Xm) L, 
where {xj tj | 1 < i < m) = 0 and Q is a fresh predicate symbol of arity m. 
Then, C is the resolvent of Cx and C2 on the liter^lls containing Q. 

So, if L is a negative literal in a guarded Horn clause C that we resolve 
upon, we can construct two guarded Horn clauses that Eire logically equivalent to 
the standaird resolvent of C and C, without instantiating the variables of C. 

Example 1. Let C = R{x,y) -> P{gif(,x,y),h{y,x)),h{f{x,y),h(y,x))) and 
C = U{x,y),P{g{x,y),h{x,y)) -> S{f{x,y)). Decreasing the vardepth of the 
body of C by resolution with C does not work, because we would get the resol- 
vent U{f{x,y),h{y,x)),R{x,y) S{f{f{x,y),h{y,x))). Using decomposition, 

we get U{x,y),Q{x,y) -> S{f{x,y)) and R{x,y) -> Q{f{x,y),h{y,x)). 
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We integrate this decomposition into the resolution rule in order to avoid in- 
stantiations of the variables of the negative premise with non-ground, functional 
terms. We call this modified version of resolution decomposing resolution, and 
for short d-resolution. 

Definition 6 . Let {->^1} U Ri and {A2} U R2 be two clauses such that Ai and 
A2 ore unifiable, and a = rn^{Ai,A2). Then, the d-resolution rule is defined as 
follows: 

- if vardepth{A\) > vardepth{A2) or a is a ground substitution, 

{-■^l}Ui?l {A 2 )DR 2 

R\a U R 2 <t 

- else (i.e. vardepth{Ai) < vardepth(A2) and cr is not ground) 

{A2} u R2 

{-.Q(xi , . . . , x„)} U Ri 6 {Qih,. . . , t„)} U 

where 

• 0 = {xi->t€cr\tis ground orx^ var{A2)}, 

• (xi,...,x„) = vof(yli( 9 ), 

• = (xi,...,X„)(T, 

• Q is a fresh predicate symbol. 

We call RictUR2(t resp. {-iQ(xi, . . . ,x„)}Uiii 0 ad-resolvent o/{-'Ai}Ui?i 
and {A2} U R2, and we call {Q(ti, . . . , **»)} U R2O (if it exists) a d-component of 
{A2} Ui?2. In this case, we call Q a decomposition predicate. 

More generally, we will say that a clause D is a d-component of a clause C if 
there is a clause C such that D can be obtained as d-component from d-resolution 
of C as positive premise with C (with appropriate choice of the decomposition 
predicate). 

Note that if C 7 is a Horn clause, a d-component D of C is also a Horn clause, 
and body(D) is an instance of body(C). 

It is not always necessary to introduce a new decomposition predicate: if 
we d-resolve a clause C as positive premise with a clause Ci and then with a 
clause C2 as negative premises, and the literals L\ 6 C\ and L2 G C2 that are 
resolved upon are identical (modulo reucuning), two d-components of C whose 
heads have the same argument tuple are introduced. In this case it is enough to 
introduce one d-component, and use the same decomposition predicate in both 
of the d-resol vents. This fact is used in the procedure in Fig.l, which implements 
d-resolution. 

A d-resolvent is related to the standard resolvent in the following way: 

Proposition 1 . Let Ci = {“’Aj} U Ri and C2 = {A2} U iZ2 be two guarded 
Horn clauses, and let vardepth{A\) > 0 . Then, the d-resolvent of Ci and C2 on 
->Ai and A2 is either the standard resolvent, or a guarded Horn clauses such 
that the standard resolvent is obtained by resolution of C[ with the corresponding 
d-component C'2 on the literals containing the decomposition predicate. The d- 
component is also a guarded Horn clause. 
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procedure d-resolve ((Bi , . . . , B„ — > H), i, (j4i , . . . , Am —>■ K),S) 
begin 

<T = mga{Bi,K); B = 0 

if vardepth(Bi) > vardepth(A') or <j is ground then 
C = (Bi, . . . , Bi-i, Ai, , . . , Am,Bi+i, . . . , Bn —*■ H)a 
else 

5 = {xi-4t6crltis ground or x 6 var(/f)} 

(xi,...,Xfc) = vax(Bi^) 

(tl , . . . , = (Xl , . . . , Xk)(^ 

if 3Ai,...,A'„, -> Q(si,...,Sfc) e S such that = (si,..,s*) then 

P = Q 

else 

let B be a fresh predicate symbol 

R = {Ai0, . . . , AmO — > ■ ■ ,tk)} 

end if 

C = Bi0, . . . P(xi, . . . ,x*), Bi+i9, . , B„9 — >• H6 

end if 

result = (C, R) 
end procedure 



Fig. 1. The d-resolve procedure 



Proof. It is obvious that the deduced clauses are Horn if the premises are Horn. 
If vardepth(Ai) > vardepth(A2), we get the standard resolvent, which is always 
guarded (see [ 7 ]). 

Now consider the case that vardepth(Ai) < vardepth(A2). Then we get the 
d-resolvent {-■Q(a:i, . . . ,in)} U RiO and the d-component {Q{h, . . . ,t„)} U R2B 
as defined in Definition 6 . For every in Q{ti, . . . ,tn), there is a subterm Si 
of A2 such that ti = Si 9 . Because vardepth(Ai) < vairdepth(A2), there must 
be at least one sj that is a non-ground functional term. Since A2 is covering, 
Sj must contain all the variables of A2, and Q(si, . . . ,Sn) is also covering. Be- 
cause for till X e var(A2), x 0 is a ground term or another variable in var(A2), 
Q{si , Sn )9 = Q{ti , . . . , t„) is covering. Finally, because var(Q(si , . . . , s„)) = 
var(A2) = var(J?2)i we have that v2ir(Q(ti, . . . ,t„)) = vai(fi2^)- H R2 contains 
a guard G, then G 9 is a guard of i?2^- So, the d-component is a guarded clause. 

Concerning the d-resolvent, we have that V = {xi,...,x„} C var(Ai) = 
var(ili). Since x 9 = x for all the variables in V, amd y 9 is ground for y G 
var(f?i) \ V, we have that V — var(f?j 0 ). So, the d-resolvent is a guarded clause, 
and -<Q{xi , . . . , x„) is a guard. 

Resolution of {-<Q{xi,. . . ,x„)}Ui?i 0 with {Qih,. . . ,t„)}UB2^ gives Ri 9 r\J 
R 20 T = Bicr U R2(t with r = {xj | 1 < i < n} and cr • mgu(Ai , A2). □ 

The following lemma states that a d-resolvent is always smaller thzm the 
positive premise: 

Lemma 3 . Let C\ and C2 be two guarded Horn clauses in which the head is 
strictly y„d-fnaximal, and such that we can resolve Ci and C2 on the head of C2 
and on a negative literal L €C\ for which vardepth(L) > 0 . 
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Then, the d-resolvent D ofCi and C 2 is strictly -smaller than Ci, where 
^ multiset extension of >vd- 

Proof. Let C 2 = H, and a = mga{L,H). First, suppose that 

vardepth(fT) > vairdepth(Z,). To obtain D from C7i, some variables in Ci are 
instantiated with ground terms, and L is replaced by a literal L' with vardepth 
0. Since L L', we have that C\ hTd^ B>. 

If Vcirdepth(jy) < vardepth(L), then in order to obtciin D from C\, some 
variables in C\ are instaciated with other variables or ground terms, and L is re- 
placed by {Bi,. . . , Bn)(T. Since vardepth(L) > vardepth(L<r) = vardepth(/f cr) > 
vardepth(SjC7) and thus L B^a for 1 < i < n, we have that C\ B>. □ 

An important property of d-resolution is that there are only finitely many 
different ways to decompose a clause, if the set of ground terms that may occur 
is finite. 

Lemma 4. Let T be a finite set of ground terms, and S he a (possibly infinite) 
set of guarded Horn clauses such that for every non-ground clause C G S, every 
ground term that occurs in C is contained in T. 

Let C be a guarded Horn clause, and S be the set of all d-components of C 
that can he deduced by d-resolution between C (as positive premise) and clauses 
in S. 

Then, the set {args{head{D)) [ £> € 5} is finite modulo renaming. 

Proof. Let H = head(C). Then, there are only finitely many non-ground weakly 
covering literals L (modulo renaming) such that vmdepth(L) < V£urdepth(Jf), 
the ground subterms of L are contained in T, and L is unifiable with H. □ 

Now we will define a transformation algorithm. The idea is to associate to 
every clause C G S the set of d-components of C that Eire generated during the 
transformation process. Such a set is Edways finite by Lemma 4, if we introduce 
a new decomposition predicate only if there is not Eilready eui equivalent one. 
So, our Eilgorithm operates on a set C of pairs of the form (clause C, set of 
d-components of C). 

If a clause C with (C, S) G C contains a body literal B that is not weakly 
flat, we unfold C on B. This means that we replace C by eJI d-resolvents we 
can obtain by d-resolving C on B with a clause C" s.th. (C, S') G C, which may 
have the side effect of Eidding a new d-component of C" to S'. 

Then, we perform the SEime unfolding operation for every d-component D G S 
on the literal B' G D that corresponds to B. 

If C is self-resolvent on B, this leads to the addition of new d-components to 
S itself. Therefore, this possibility has to be considered first. 

Clearly, a newly generated clause that is not active CEm be deleted. If a clause 
is ground and active, its body can be deleted, because Eill the body literals are 
false in the least Herbrsuid model. 

The procedure flatten that implements the flattening Eilgorithm is shown in 
Fig.2. We use the following notation: for a literEil L, pr{L) denotes the predicate 
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procedure flatten (5) 
begin 

c = {(c,0)|ce5} 

while 3(C, 5) € C: body(C') contains a non-weakly-flat litercil do 
choose (C = Bi, . . . ,B„ H,S) € C and 1 < t < n s.th.vardepth(Bi) > 0 
and vaidepth{H) > vardepth(Z/itJ^(^j(d(C))) 

L = list contciining all elements of C with {C, S) at head position; C' = 0 
for j = 1 to length(L) do 
let L\j] = {C, S') 

if resolve{C,i, C) exists and is active in Cl(C) then 
{C,_X) = d-re3olve{C,i,C',S’) 
if C is ground then C = head(C) end if 
S' = S'UX-,A^S; R = 9 
while / 0 do 
choose C" &A\ A = A\ {C"} 

if resolve(C" ,i,C) exists and is active in Clifi) then 
{D,X) = d-resolvt{C" ,i,C , S') 
if D is ground then D = head(Z?) end if 
S' = S'UX; = 

if j = 1 then ^ ^ U {D} end if; end if; end while 

C' = C' U (C, R)-, end if; end for 
c = (C \ {(C, S)}) U C'; end while 
result = Cl{C) 
end procedure 



Fig. 2. The flatten procedure 



symbol in L. If 5 is a set of clauses and P a predicate symbol, then Litp{S) 
denotes the set of all negative literals L with pr(L) = P that occur in S. For 
a set C of pairs (clause, clause set), Cl(C) = U(c,5)€c{^} denote by 

resolve(Ci,i,C2), where Ci and C2 are Horn clauses, the (staindard) resolvent 
of Cl and C2 on the i-th body literal of Ci and the head of C2. 

Proposition 2 . The procedure flatten terminates on every set S of guarded 
Horn clauses in which the head is strictly '^„d-maxxmal, and furnishes as result 
a set S' of guarded Horn clauses such that for every C E S', 

— body{C) = 0 and head{C) is ground, or 

— vardepth{body{C)) = 0 and vardepth{head{C)) > 0 , 

and such that Ms = Ms' H HBs- 

Proof. First, we show termination. Let > be the ordering on pzdrs (clause, clause 
set) defined as follows: {C\ , Si) > (C2, S2) iff Ci Let » be the multiset 

extension of >. Clearly, > is well-founded, and » is also well-founded. 

Every iteration of the outer while loop replaces a pair (C, S) € C by a set of 
pairs {(Cj, Si) | 1 < * < m} such that all the Ci are d-resolvents of C as negative 
and a clause C with (C",S') G C as positive premise. Since d-resolvents aure 
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always strictly smaller than the negative premise, the set of pairs C gets strictly 
smaller under ». 

Termination of the inner while loop is obvious if j ^ 1. If j = 1, this means 
that the chosen clause C and its d-components in S are d-resolved with C itself. 
Then, if a new d-component £> of C is generated, D must also be d-resolved 
with C, which might lead to the generation of another D-component. But ter- 
mination is assured by the fact that for every peiir (C, 5), the set 5 containing 
d-components of C is finite. The reason for this is that no new ground terms can 
be introduced into non-groud clauses (Lemma 2), and we avoid the introduction 
of different d-components whose head literals have the same argument tuples, 
so the finiteness of S follows from Lemma 4 and the fact that is not possible to 
add infinitely many ground clauses (Lemma 2). 

In a pair (C, S), all the clauses in S are always d-components of C: this 
is clearly the case for such clauses that are added to 5 by the d-resolution 
procedure. On the other hand, let C be obtained by d-resolution of a clause C 
as negative premise on a literal L e C with a clause C". Then, every clause 
D G S is obtained by d-resolution of a d-component D' of C with C" on a literal 
L' € D' which is an instance of L, where body literals of active ground clauses 
are deleted. Clearly, such clauses are d-components of C. 

Therefore, if C = Bi,... ,B„ H, every C e <S is either a ground clause 
with one positive literal H', or it has the form C = B\a, ... ,BnO H' , where 
cr is a substitution such that for all a: 6 var(C), xa is ground or a variable from 
var(C). So, if there are only weakly flat literals in C, this is also the case for the 
clauses in S. 

It is not necessary to apply d-resolution on literals containing decomposition 
predicates, because negative literals with decomposition predicates can never 
contain non-ground functional terms: Suppose a vEiriable of a negative literal 
with a decomposition predicate in a clause C would be instantiated with a non- 
ground functional term. This is only possible if C is used as positive premise 
for d-resolution. But then, the negative literal L we resolve upon has greater 
vardepth than the head of C. But this is not possible, because if we introduce a 
decomposition predicate in a d-component generated by a clause C", the heaid H 
of C must have greater vardepth than all negative literals containing the S2ime 
predicate symbol as H. 

Let A = {(C, 5) 6 C 1 body(C') contains a non- weakly-flat literal}. If .4 is 
not empty, there is always a pair (C, S) € ^ such that the head of C has greater 
vardepth than all negative literals with the same predicate symbol in Cl{C). For 
example, chose (C, 5) such that vardepth(C) > vardepth(C7') for all C with 
{C',S') 6 A. Therefore, there is always a pair in A that can be chosen, cind 
when the procedure stops, all negative liter eds in the resulting set S' are weakly 
flat. 

By definition, a d-component has always a head with vardepth greater than 
0, and a d-resolvent is either ground, or it has the same vardepth as the positive 
premise. Since we start with a set S in which all clauses have a head with 
Vcirdepth greater than 0 (except the ground clauses), vardepth(head(C')) > 0 for 
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every clause C in the resulting set S' that is not ground. Ground clauses that 
are not active are deleted, and in active ground clauses, all body literals can be 
deleted, since we know that they are false. Therefore, every ground clause in S' 
contains exactly one positive literal. 

Finally, the interpretation of a predicate symbol that occurs in S is invariant 
in the least Herbrand model of Cl{C), because in every iteration of the while- 
loop, a clause is replaced by all possible d-resolvents and d-components on a 
certain litercil. 

Because d-resolution is only applied if the corresponding standcird resolvent 
is active, all the clauses in S' are cictive. □ 

3.3 Condensation of the Body Literals 

The next step is the transformation of a set of non-negative Horn clauses with 
weakly flat body that has been obtained from the flatten procedure into a set 
of guarded Horn clauses with at most one body literal. Here again, we use d- 
resolution. 

The idea is to replace the body of a clause Hi , . . . , H by a literal 

-i<3(xi, . . . ,Xm) where {ii, . . . ,Xm} = var({Hi, . . . ,H„}) and Q is a fresh pred- 
icate symbol. We call Q a condensation predicate. 

Then, we unfold the clause C = Hi , . . . , -> Q(xi , . . . , x^) in the following 

way: Let Hj be a guard of C. Then we deduce all steuidard resolvents of C on 
Hj with all other clauses in the set. In this way, 2 dl the variables of C Eire 
instantiated. Then we flatten the obtained set of clauses in basically the same 
way as in the flatten procedure, which means that we replace a clause with non- 
weakly-flat body literals by all possible d-resolvents and add new d-components 
if necessary. We do this until only clauses with weakly flat bodies are left. 

Example 2. Consider the set {T(a,6)}UH, where 



S = {P{x,y),R{x,y) S{f{x,y),g{x,y)), (1) 

T(x,y) ->• P(/(x,y),/i(x,y)), (2) 

r(x,y) H(/(x,y(x,y)),/»(x,y(x,y))), (3) 

T(x,y) T(x,y(x,y))} (4) 

First, we replace (1) by the clause 

Qi{x,y) S(f{x,y),g{x,y)), (5) 

where Qi is a new predicate symbol. Then we unfold the clause H(x, y), H(x, y) -> 
Qi (x, y) on H(x, y), which gives T(x, y), H(/(x, y), h{x, y)) -> Qi (/(x, y), h{x, y)) 
by resolution with (2). By d-resolution with (3), this clause is “flattened” to 

T(x,y),H'(x,y) Qi{f{x,y),h{x,y)), (6) 

and the d-component T{x,y) R'{x,g{x,y)) of (3) is added. Then, (6) is re- 
placed by 



Q 2 {x,y) <5i(/(x,y),/i(x,y)) 



(7) 




Simplification of Horn Clauses that are Clausal Forms of Guided Formulas 299 



and in the Scune way as above, the clause 

T{x,y) -> Q 2 {x,g{x,y)) 



( 8 ) 



is generated. 

It is possible that variables in negative literals containing decomposition pred- 
icates are instantiated with non-ground functional terms. Therefore, d-resolution 
has to be applied on literals containing decomposition predicates. This may lead 
to the deduction of a d-component of a d-component of a clause. But this does 
not cause any problem, because it is easy to see that if £) is a d-component of 
C, and £ is a d-component of D, then E is a d-component of C. 

Since we have only finitely many predicate symbols, and only finitely many 
decomposition predicates can be introduced, we need to introduce only finitely 
many condensation predicates. 

We start with the set of pairs obtained from the flatten procedure. For a pair 
{C, S), it is enough to compute a condensation predicate for the body of C, since 
the bodies of the clauses in S aire instances of the body of C. 

The condensation procedure is shown in Fig. 3. We denote by resolve{C, i, S) 
where C is a Horn clause and 5 a set of Horn clauses, the set of all possible 
resolvents of C on its f-th body literal with the clauses in S. 

Lemma 5. The procedure condense terminates for every set C of pairs {C, S) 
where C is a guarded Horn clause and S a set of d-components of C, and such 
that 



- (i) body{C) = 0 and head{C) is ground, or 

— (a) vardepth{body{C)) = 0 and vardepth(head(C)) > 0, 

and the result is a set S' of guarded Horn clauses such that for each C S', 
either (i) is fulfilled, or (ii) and additionally )6odj/(C')| = 1 are fulfilled, and such 
that Ms = Ms> n HBs, where S = Cl(C). 

If all the clauses in S are active, all the clauses in S' are active. 

Proof. The set of predicate symbols that may occur in the body of the clauses 
is finite, because we start with a finite set of clauses, and every clause can only 
generate a finite number of decomposition predicates. For a finite set of predicate 
symbols V and a finite set of ground terms T, there can only be finitely mamy 
negative guarded clauses (modulo renaming) that contain literals of the form 
P{ti ,...,tn) where P e V and for 1 < i < n, U is either a variable or U £ T. 
Since condensation predicates do not appear in negative litereds in C, and no new 
ground terms can occur in non-ground clauses (Lemma 2), only finitely many 
condensation predicates need to be introduced. Therefore, the set T> is always 
finite, and the procedure terminates. 

Because a clause C is always replaced by edl the possible resolvents resp. d- 
resolvents and d-components that can be obtauned from (d-)resolution with other 
clauses, the interpretation of predicate symbols occuring in Cl(C) is invariaint in 
the least Herbrand model of Cl{C U A). 
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procedure condense (C) 
begin 

2? = 0; = 0; 5' = 0 

while C ^ 0 do 

choose a pair p = (Bi , . . . , S) 6 C 

C = C\{p};A = AU{p} 

if n > 1 and there is no clause — v if' e D s.th. = 

{B1<t, . . . , B'nCr} for a ren^uning <r 
let (xi,...,Xn) = vai{H) 
let Q be a fresh predicate symbol 
T> = T>U {Bj, . . . ,B„ -> Q(xi ,.. . ,x„)} 
let Bi be a guard of Bi , . . . , B„ Q(xi , . . . , x„) 

TZ = reaolve{Bi , . . . , B„ — > Q(xi,. . .,Xn),i> Cl(C U A))-, TZ' = 9 
for all C' €TZ do 
if C' is £ictive in Cl{C U .4) then 
if C' is ground then ^ ^ U {(head(C"), 0)} 

else TZ' = TZ' U {C} end if; end if; end for all 
while 3C 6 TZ!-. body(C) contains a non-weeJcly-flat literal 
choose C = Bi, ... ,B„ -¥ H £TZ' and 1 < » < n s.th.vMdepth(Bj) > 0 
TZ' =1Z’\ {C} 

for all (C', 5') e C U >1 s.th.for a C" € {C] U S', resolve{C,i, C") 
exists and is active in Cl{C U A) do 
{D,X) = d-resolve{C,i,C" ,S') 
if D is ground then D = head(B) end if 
5' = 5' U X; TZ' = TZ' U {-D}; end for all; end while 
C = C U {(C, 0) I C7 6 B'}; end if; end while 
for all (Bi,...,Br.-^ff,S)&A 

let Bj, . . . , Bji — > B' e B be such that {Bi, . . . , Bn} = {Bjcr, . . . ,B^,cr} for 
a renaming cr 
S' = S' U {H'cr -»• ff} 
for all (Ai ,...,An X) 6 S 
let T such that {>li, . . . , An} = {B}r, . . . , BJ,t) 

S' = S' U {H't -> K}\ end for all; end for all 
end procedure 



Fig. 3. The condense procedure 



It is obvious that the clauses in the resulting set have either form (i), or form 
(ii) and contain one single body literal. 

Because d-resolution is only applied if the corresponding standard resolvent 
is active, adl the clauses in S' are active. □ 

3.4 Transformation into Primitive Guarded Horn Clauses 

In the set we obtain from the condense procedure, the body literals of the non- 
ground clauses ^u:e weakly flat. But this meeins that they may contain ground 
terms and multiple occurrences of the same variable. A last transformation step 
is necessary in order to obtain primitive guarded Horn clauses. 
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Here again, the idea is to replace the body literal L by a literal V whose 
arguments are exactly the variables in var{L), and then to unfold L V on L. 



Example 3. Consider the set {T(a)} U<S, where 

S = {P{x, y, X, a) R{f{x, y),x), (1) 

S{x,y,z) P(g(x,y,z),h{x,y,z),g{y,x,z),z), (2) 

T{x) -> 5(/(x,x),/(x,x),a)} (3) 

First, we replace (1) by the clause 

Qi(x,y) -t il(/(x,y),x), (4) 

introducing the new predicate symbol Qi. In the next step, we unfold the clause 
P{x,y,x,a) Qi{x,y), which gives S{x,x,a) -t Qi( 5 (x,x,a),/i(x,x,a)) by 
resolution with (2). This clause is not primitive yet, so we replace it by 

Q 2 (x) Qi( 5 (x,x,a),h(x,x,o)), (5) 

and we unfold the clause S(x,x,a) — > Q^ix), which gives 

T(x) -> 02(/(a:,x)) (6) 

by resolving with (3). 

The procedure primitive in Fig.4 implements this transformation. 



Lemma 6. The procedure primitive terminates for every set S of non-negative 
Horn clauses such that for each C € S, eihter 

- body{C) = 0 and head{C) is ground, or 

— body{C) = {5} for a weakly flat literal B and vardepth(head(C)) > 0, 

and furnishes as result a set of primitive guarded Horn clauses S' such that 
Ms = Ms' n HBs- 

If all the clauses in S are active, all the clauses in S' are active. 

Proof. For a finite set of predicate symbols V and a finite set of ground terms T, 
there can only be finitely many negative non-ground literals (modulo renaming) 
of the form P{ti ,..., t„) where P and for 1 < i < n, U is either a variable 
OT ti e T. Since newly introduced predicate symbols do not appear in negative 
literals in S, and no new ground terms can occur in non-ground clauses (Lemma 
2), only finitely many new predicate symbols need to be introduced. Therefore, 
the set V is finite, and the procedure terminates. 

Because in ecich iteration, a clause C is replaced by two clauses Ci and C 2 
in such a way that C is the resolvent of Ci and C 2 on literals with a predicate 
symbol that only occurs in Ci and C 2 , and C 2 is then replaced by all its possible 
resolvents on a certzdn literal L 6 C 2 , the interpretation of predicate symbols 
occuring in S is invzuriant in the least Herbrand model of «S U <S'. 

It is obvious that the clauses in the resulting set are primitive. Because 
newly generated clauses are not kept if they are not active, all the clauses in the 
resulting set S' are active. □ 
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procedure primitive (5) 
begin 

D == 0; 5' = 0 
while <S ^ 0 
choose C € S 

S = S\ {C}; 5' = 5' U {C} 
if C is not primitive then 
let C = B H 

if there is no B' H' G T> s.th. B = B'a for a renaming a then 
let (zi,...,x„) = vaf(B) 
let Q be a fresh predicate symbol 
P = 2>U{B^Q(xi,...,x„)} 

Tl - reaolve(B -> Q(xi, . . . ,x„), 1,5 U<S') 
for all C" 6 

if C' is active in 5 U 5' then 
if C is ground then C' = head(C') end if 
5 = 5 U {C'}; end if; end for all; end if 
end if; end while 

for all C — B H G S' s.th. C is not primitive 
let B' —¥ H' &V s.th. B = B'a for a renaming a 
S' = {S' \ {C}) U {H'a H}-, end for all 
end procedure 



Fig. 4. The primitive procedure 



4 Conclusion and Future Work 



We have presented a method that transforms a satisfiable and finite set S of 
guarded Horn clauses (where guarded clauses are defined as in [7]) into a finite set 
S' of so-called primitive guarded Horn clauses such that the minimal Herbrand 
models of S and S' coincide on predicate symbols that occur in S. A primitive 
guarded Horn clause has either an empty body and a ground head, or contains 
only one body literal, which is flat and lineeir, emd a head literal that has at least 
one non-ground functional term as argument. 

The motivation for our work is automated model building. Primitive guarded 
Horn clauses have a relatively simple structure, and seem to be suitable to rep- 
resent Herbrand models for sets of guarded clauses (the model represented by 
a set of primitive guided Horn clauses is its least Herbrand model). Whereas 
it is possible to evaluate flat clauses (i.e. clauses that do not contzdn functional 
terms) in models represented in this way (see [3]), the evaluation of arbitrary 
clauses is still an open problem. At least, primitive guarded Horn clauses may 
represent models (i.e. counter-examples) in a way that is “understandable” for 
a human user. Finite models for sets of primitive guarded Horn clauses can be 
found by a method presented in [3] (the termination of this method has still to 
be shown). 
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Future work will also include the attempt to extend our method to non-Horn 
guarded clauses. For a given set of guarded clauses S, this could be done by com- 
puting a set of guarded Horn clauses S' such that Ms' is a model of S. Another 
interesting candidate for a generalization of our method are weakly guarded Horn 
clauses (see [7]). Recently, it has been shown that the guarded fragment with 
equality can be decided using superposition (see [6]), which might also open a 
possibility to extend our method. Furthermore, we will study the application of 
our method to modal logics, as for example the automatic construction of Kripke 
models. 

We have implemented the presented transformation procedure in the Objec- 
tive Caml language. The source code is available from the author. 
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Abstract. Linear logic provides a logical framework to express funda- 
mental computational concepts in a declctrative style. As a consequence, 
it has been used as a sound foundation for the design of expressive pro- 
gramming and specification languages. Unfortunately, lineMity is as con- 
venient for specifying as difficult to implement. In psirticular, the suc- 
cessful implementation of linear logic languages and provers involving 
context splitting strongly depends on the efficiency of the method com- 
puting a suitable split. A number of solutions have been proposed, re- 
ferred to as lazy splitting or resource management systems. In this paper, 
we present a new resource management system for the Lolli linear logic 
language. We show that the choice of the structure employed to repre- 
sent the contexts has a strong influence on the overall performetnce of 
the resource management system. We also estimate the performance of 
previous proposals, and compare them to our new system. 

Keywords: Linear Logic, Logic Programming, Lolli, Implementation, 
Lazy Splitting 



1 Introduction 

Linear logic, introduced by Girard in [3], is a refinement of intuitionistic and 
classical logics. It provides a finer control on the use of formulae which can be 
interpreted as resources. As a result, linear logic extends the expressive power 
of both intuitionistic and classical logics, in the sense that it allows a simpler 
and more concise representation of situations difficult to express within these. 
Therefore, linear logic constitutes a sound foundation for the design of expressive 
specification and programming languages integrating features such as object ori- 
entation and concurrency in a declarative style. On the other hand, the practical 
support of such features within intuitionistic or classical logic languages usually 
requires the use of extra-logical characteristics. 

Unfortunately, and because of its high degree of non-determinism, linearity 
is as convenient for specifying as difficult to implement. Traditional language 
implementation techniques are useless to undertake the efficient implementation 
of linear logic languages. The linear nature of formulae - the key feature on 
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which the expressiveness of line^lr logic holds - implies that they must be used 
exactly once in a proof, arising major problems concerning their management. 
Some of the linear logic Imguages proposed, such as LO [1] amd ACL [6], axe 
based on rather restricted fragments of linear logic. Although these restrictions 
considerably simplify their implementations, they also imply a severe expressive- 
ness loss. Other languages, such as Lolli [5], Lygon [13], and Forum [10,11], are 
based on larger, more expressive, and harder to implement fragments of linear 
logic. When implementing these richer languages we are f£iced with the problem 
of splitting the contexts between the subproofs introduced by a bottom-up ap- 
plication of the multiplicative rules (S>R, ^ L, and -oL. A number of solutions 
have been proposed for the context splitting problem, commonly referred to as 
lazy splitting or resource management systems. 

This paper presents a new resource management system for the Lolli lan- 
guage, although it can be applied to any linear logic language or prover involving 
splitting. The main contributions of this paper are: 1) we show that the choice 
of the structure employed to represent the contexts has a strong influence on the 
efficiency of the resource management system, 2) we propose a new proof system 
based on an efficient structure called frame, and 3) we estimate and compare the 
performance of several resource management systems. 

The rest of the paper is organized as follows. In section 2 we briefly intro- 
duce the Lolli language and its proof system. We then revise the fundamental 
ideas of and contributions to the resource management strategies. In section 5 
we revise two well-known resource management systems for the Lolli language 
and estimate their performance. We also present aind compeire our new resource 
management system with them. Finally, conclusions and further work are out- 
lined. 

2 The Lolli Programming Language 

Lolli is a linear logic programming language proposed by Hodas and Miller [5, 4]. 
It can be seen as a linear reflnement of AProlog. Lolli is deffned as the uniform 
fragment of intuitionistic linear logic freely generated from T, &, -o, =>, and V. 
In addition, the connectives 1, ©, ®, !, and 3 can ^llso be added to goal formulae 
without compromising uniformity; thus the formal syntaix of Lolli program and 
goal formulae axe 

D::=A\DikD2\G-oD\G^D\ Vx.Z? 

G ::= A I T I 1 I G1&G2 | GiSGz j GiOGj j £>-oG \ D => G \ Vx.£> | 3x.G | !G 

where A denotes an atom. The proof system of Lolli can be described in terms 
of sequents of the form 



<?; A — > G and !?; Zi A G 

where If' is a set of program formulae denoting the intuitionistic portion of the 
logic program, zA is a multiset of program formulae denoting the linear portion 
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Fig. 1. Lolii proof system £ 



of the logic program, I? is a program formula, and G is a goad formula. Figure 1 
shows the Lolli proof system C. 

3 Lazy Splitting: Assigning Formulae to Proofs 

The successful implementation of linear logic languages and theorem provers 
involving splitting strongly depends on the efficiency of the method used to 
compute a suitable context split. As an instance of this, consider the £ 0-R rule 

>Gi !F;£i2— »C?2 ^ P 

•F; £li W ^2 — t Gi 0 G 2 

' V ' 

A 

When applying this rule bottom-up the context A must be split into Ai and 
£\ 2 - The problem above is that we do not know in advance how this split should 
be done. As the number of possible splits is exponential with respect to the car- 
dinality of A, it is clear that a triviad implementation which simply backtraicks 
through adl these splits is terribly inefficient. This suggests that a better imple- 
mentation technique must be developed insteaxl, maddng it possible the praicticad 
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application of the expressive power of linear logic. A commonly adopted solution 
is to split the contexts Izizily [5,4,13,2,8]. In this section we briefly revise the 
fundamental ideas of and contributions to the lazy splitting strategy. 

3.1 The Essence of Lazy Splitting 

The key leading to lazy splitting is that, in general, linear logic proofs are so- 
tiablc, i.e., they consume the resources they need but no more. In order to take 
advaintage of this satiability, we let proofs receive am excess of formulae amd re- 
turn this excess instead of failing. In other words, we do not split contexts but 
pass the whole of them to the proofs as input, which first consume the formulae 
they need and then return the unused ones as output. That is, as we cannot 
guess the required split a priori, we let the very proofe determine it a posteriori, 
assigning formulae to proofs on demamd. The strategy outlined is known as the 
input-output model of resource consumption amd was first proposed by Hodas 
and Miller for the Lolli language [5j. 

3.2 Input amd Output Formulae 

According to the previous informail description, lazy splitting requires a sort of 
lazy sequent calculus such that lazy proofs receive an excess of formulae as input 
and return it as output. Therefore, lazy sequents must include both input amd 
output portions as follows. 

input output input output 

The intended meaning is that the input context A could contadn am excess of 
formulae while the output context A' returns this excess. Note that lazy splitting 
is concerned with the lineair input A only. The intuitionistic input !? amd the 
goad formula G are never split, and hence no output is required for them. 

Laizy sequent rules must assure a correct flow of input amd output. Obviously, 
input flows from the root to the leaves of the proof tree as rules axe applied, while 
output flows from the leaves to the root adong a finished proof branch. Lazy axiom 
rules appearing at the leaves of the proof tree tramsfer unused input to output. 
Lazy unary rules are trivial as they simply propagate input amd output on the 
suitable direction. Lazy splitting rules do “the read work” . For example, consider 
the lazy £ ® -R rule. 

}p-,A—^Gi/A' / ^" 

9;A^Gi^G2 / A" 

First, the left subproof receives A, consumes the portion it requires amd returns 
the unused one - A' - as output. Then, the right subproof receives A', consumes 
the portion it needs amd returns the unused portion as output - A" - to be 
further returned as the overadl output of the whole proof. Of course, the lazy 
sequent at the root of a laizy proof cannot return any formula; i.e., its output 
context must be empty. 
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3.3 Returnable and Non-returnable Input 

It is quite clear that a lazy proof can return an unused formula as output if and 
only if the aforementioned formula was previously passed to it as input. That 
is, a proof cannot return what it has not previously borrowed. Although this 
fact seems fairly trivial, it must be explicitly controlled by the lazy rules. For 
example, the naive lazy rule 

!F; {/}} W > G / Zi' 

D / A' 

is unsound, as the consumption of D is not enforced; i.e., D can be returned 
as output in A'. In order to avoid returning formulae out of scope, we can 
reformulate the rule above as follows: 

^■,{D}\t)A^A'-^G/A' 

^,A^A' — > D -oG / A' 

Alternatively, we can distinguish two types of linear inputs: the non-returnable 
input, containing formulae which must be consumed; and the returnable input, 
containing formulae which could be consumed. Lazy sequents can then be ex- 
tended as follows 

f]A-,n ^G / ^ f ,A-,n -^G / 

input output output 

where A stands for the non-returnable input and II for the returnable input. 
The intended meaning is that the input context A must be fully consumed as it 
is non-returnable, while the input context II could contain an excess of formuleie 
which is returned by the output context 77'. Now, we can reformulate the rule 
for -o using this extended lazy sequents yielding 

<F;{D}Wzl;77 / 77' 

<F;Zi;77 — )-D-oG / 77' 

where the formula D is added to the non-returnable portion of the linear pro- 
gram, enforcing its consumption within the proof of the goal G. The distinction 
between returnable and non-returnable formulae was first exploited by the lazy 
splitting system proposed by Winikoff and Heirland [13] for the Lygon language, 
and later reintroduced - for different reasons - by Cervesato et al. [2] for the 
Lolli language. 

4 Optimizing the Additive Connectives & and T 

The introduction of input and output formulae ^lnd the distinction between 
returnable and non-returnable input remove much - but not all - of the non- 
determinism from the resource distribution in linear logic proof search. There 
are, however, important optimizations proposed by Hodas [4] and Cervesato et 
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eJ. [2] related to the treatment of the additive conjunction & and to the additive 
truth T, which lead to a fully deterministic and much more efficient solution 
of the splitting problem. In this section, we briefly revise the aforementioned 
optimizations. 

4.1 Learning from Experience: Looking-Ahead Needs 

The £ & -R rule in Fig.l constitutes a special case not discussed so fcir: both 
subproofs must consume exactly the same linear formulae. The non-returnable 
input causes no problem, as in any case it must be fully consumed by both sub- 
proofs. On the other hand, each subproof consumes a portion of the returnable 
input and returns the remaining portion as output. To ensure that both sub- 
proofs consume exactly the same portion of the returnable input, their output 
contexts must be equal, thus we obtain the following Icizy rule. 

^\A-n-^Gifn' ^-,A-n —^G2 f n' 

9 \A,n ^GihG2 / n> 

As pointed out in [2] this rule can be optimized. In a sequential implementation, 
the left subproof determines the portion of the returnable input consumed; that 
is, n\n', where \ denotes multiset diflFerence. We can take advantage of this 
and pass the consumed portion as non-returnable input to the right subproof, 
enforcing its consumption. The optimized lazy rule is then 

/ 17' /i W (77\77'); 0 — ^ Gz / 0 
^■,A,n ~^GikG2 / 77' 

where the returnable input and the output of the right subproof remain empty. 

4.2 Lazy Consumption: T Is Insatiable 

The contents of the output are determined at the leaves of the proof tree by 
transferring the returnable input to the output. For example, the lazy initial 
rule transfers all the formulate from the returnable input to the output. 



!?;0;77-^ A / 77 

On the other hand, the T R rule consumes all of the non-returnable input as well 
as an unknown portion of the returnable input. 



a^;A;77w77' ^ T / 77' 

Determining 77', however, is not trivial. Recall the key idea leading to lazy split- 
ting: linear logic proofs are satiable; that is, they consiune what they need but 
no more. But T wants it all. In a sense, while the other connectives are satiable, 
T is not. The rule above shows that the returnable input must be split into two 
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portions: one consumed by T and the other one returned as output. Thus, we 
are apparently faced with a context splitting problem again. Nevertheless, this 
splitting requires a quite different technique to be accomplished lazily. Hodas 
provided a first solution to this problem in [4], which was further refined by 
Cervesato et aJ. in [2]. 

The main idea is delaying the consumption of T by attaching a boolean 
discard indicator - referred to as slack indicator in [2] - to the output. This 
indicator denotes whether the associated output has been returned by a T or 
not. The lazy sequents have then the form 

^■,A,n / n';d / n';d 

where d is the aforementioned discard indicator. Now, the lazy T rule does not 
consume any portion of the returnable input but transfers it to the output and 
sets the discard indicator to 1 as follows. 



^]A;n — T / 77;1 

By returning all of the returnable input, the real consumption of T is delayed 
and all of the returnable input is made available to be consumed elsewhere. In a 
sense, this is not exactly lazy splitting but lazy consumption. On the other hand, 
the consumption of the output returned by a T is no longer mandatory, as in any 
case it could have been consumed by that T. Thus, if a portion of the returned 
output is not consumed elsewhere, it is assigned to any T it has visited - if any 
- and silently discarded. Thus the final consumption of T is lazily determined 
when the unused output is discairded. Of course, the other lazy axiom rules set 
the indicator to 0, as their output must be consumed elsewhere. Lazy unary 
rules are trivial, as they simply propagate both the contexts and the discard 
indicator. The lazy binary rules are split into two rules, depending on the value 
of the discard indicator returned by the left subproof. Further details of this 
solution can be consulted in [4,2]. 

5 A Comp£u:ison of Three Resource Management 
Methods 

In this section, we introduce a new resource management system CC and compare 
it to previous proposals. In essence, the basic principle of these systems is the 
same. The main difference comes from the structure employed to represent the 
contexts. We show that this has a strong influence on the performance of the 
proof system. It is worth noting that we are concerned with the cost incurred by 
the mEmagement of resources; and hence, we do not take into account the cost 
of unification or clause selection. 

5.1 The lO Proof System: The List Approach 

The XO proof system for Lolli was proposed by Hodas and Miller in [5]. It 
is the first system ever devised to solve the context splitting problem; some 
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optimizations were later proposed in [2], whereas the T optimization was first 
proposed by Hodas in [4]. The formal definitions and the proof system in this 
section are taken from [4]. 

The lO system uses lists to represent a sort of contexts named lO-contexts, 
defined as follows. 

Definition 1 (XO-context). An TO -context is a list of formulae, each of which 
is either a program formula, a program formula marked with a \, or a constant 
named del. The list is built with the usual constructors :: and nil. 

The lazy sequents, named lO-sequents, have the form I{G}0 where I and O 
are lO-contexts and G is a goal formula. The intended reading is that the goal 
G is solved from the input I and returns the output O. The input I contains the 
logic program encoded as follows: a program formula stands for a linear clause, 
a program formula marked with ! for an intuitionistic clause, and a constant del 
for a deleted (i.e., used) clause. The output O contains individual constraints for 
each program formula in 7; that is, the i-th element of O imposes a consumption 
constraint on the i-th element of 7. These constrciints are encoded as follows: 
if the i-th element of O is a program formula - either marked or not with a ! 

- then the i-th element of 7 must be returned as output. Note that if the i-th 
element of (9 is a non-!’ed formula, this implies that the i-th element of 7 is a 
linear clause which cannot be used to construct the proof. The XO proof system 
is the only one of the proof systems considered in this paper imposing such a 
bizarre behavior: an lO lazy proof receives linear formulae it cannot use. On 
the other hand, a constant del in the i-th position of O indicates that the i-th 
element of 7 is a linear clause which must be consumed. The XO system works 
by checking that the logic program 7 satisfies the constraints O at certain nodes 
of the proof tree. In order to do that, two relations between X(9-contexts must 
be defined: 

Definition 2 (pick(I,0,R)). The ternary relation pick(I,0,R) holds if R oc- 
curs in the XO-context I, and O results from replacing that occurrence of R in 
I with the constant del. The relation also holds if ! R occurs in I, and I and O 
are equal. 

Definition 3 (subcontext(0,I)). AnXO-contextO is a subcontext of an XO- 
context I, denoted by the predicate subcontext(0,I), if O arises from replacing 
zero or more non-\ ’ed elements from I with del. 

Figure 2 shows the XO proof system for propositional Lolli. In order to es- 
timate the performance of an implementation of the XO proof system we need 
to determine the form of the XO-contexts. It should be clear that the input is 
always a list of the form Ii 7„ :: nil, where 7{ is a program formula 

- either !’ed or not - or the constant del. To determine the form of the out- 
put, consider the XO 0 rule. The left subproof introduces a new variable M. 
On the other hand, each occurrence of an implication in a goal will add a new 
constraint to the output so, in general, the output XG-contexts have the form 
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/{I}/ 



svbcontext{0,I)^^^ ^ , 



I{T}0 



I{\G}I 



7{Gi}iW_JVf{^ HG^}0_J{G2}0 

/{Gi®G 2}0 ^ /{Gi&GilO 

fl I{G}del :: J{G}! J? :: O ^ 



1{R^G}0 



I{R=>G}0 



EiSll^jOpickA ^^^^^lOpick- 

Fig. 2. Propositional Lolli proof system lO 



0\ On '■'■ M , where O, is a !’ed program formula or the constant del, and 

M is a variable; that is, the output has a known prefix 0 \ 0„ and an 

unknown suffix M. Finally, consider the lO ! rule. To apply this rule, the input 
and the output must be equal; that is, Ii Im nil = Oi 0„ :: M, 

where m>n. This requires to compare the first n elements of both lists and to 
transfer m — n elements from the input to the output. Note that this is the only 
way to insert a non-!’ed formula into the output. 

Now that we have determined the form of the lO-contexts, it is an easy 
matter to estimate the cost of the JO rules. It is clear that the cost of the JO ! 
rule is 0{n), i.e., it is proportional to the number of elements of the instantied 
prefix of O. The same reasoning can be applied to other rules enforcing equality 
of I and O; namely XOl, JO jnckA, and JO pick On the other hand, IC?T 
has cost 0{n) as well, due to the subcontext relation. The rest of the rules axe 
0(1), since they do not involve traversing any structure. 



The pick problem. Recall that it is possible for an JO proof to receive for- 
mulae as input which cannot be used. This singularity is responsible of a severe 
flaw in the efficiency of the JO system, which we call the pick problem. Consider, 
for instance, the proof 

7{a}M M{b}I 
/{(a® 6)}/ 

/{!(a®6)}7 

In the proof above, the application of the JO ! rule enforces the equality of the 
input and output lO-contexts. This could transfer non-!’ed formulae from the 
input to the output, imposing the constraint that these formulae cannot be used 
to build the proof. On the other hand, the application of JO<S> replaces the 
output context 7 by a new variable M, eliminating all of the constraints on the 
subproof of the goal a. Thus, the system attempts to build a proof for a using 
all of the formulae in the input 7, including those we know cannot be used. This 
constraint is restored for the proof of the goal b and checked at the leaves of 
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the proof subtree. The same problem arises from the rule lOpick-o, where a 
formula G -o ^4 is picked without taking into account the current constraints. 



5.2 The C,C Proof System: The Frame Approach 

In subsection 3.3 an important principle of the lazy splitting strategy was stated: 
a lazy proof cannot return a formula that has not borrowed previously. That is, 
a lazy proof system must preserve the scope of formulae. This was solved for 
individual formulae introduced by implications by distinguishing two classes of 
contexts: the non-returnable input context and the returnable one. The splitting 
rules also introduce a scope problem not discussed so far. Consider the lazy ® 
rule (we drop here the discard indicator) 

!1>;0;(AW77) — >Gi / (A'W77') <?; — > G 2 / 77" 
!?;z1;77— >Gi8)G2 /77" 

In the rule above, the proof of Gi ® G 2 czmnot return any formula from A; i.e., 
the scope of A must be preserved. On the one hand, A must be temporarily 
combined with 77 to be lazily split. On the other hand, the residue A' must be 
restored in the original scope of A to ensure that A is fully consumed. According 
to the proof above, the returnable input context (/lW77) and the output context 
(Zl'W77') should be arranged to preserve the scope of the formulae. In this section 
we propose a new structure for these contexts which we ctdl a frame. We show 
that frames are an appropriate choice for these contexts, as they encode scope of 
formulae both effectively and efficiently. A new frame-based lazy proof system 
CC for Lolli is presented and proved to be logically equivalent to the original 
proof system C. Finally, the cost of the CC lazy rules is estimated. 

The CC proof system uses frames to represent returnable input contexts cind 
output contexts. Frames are formally defined as follows: 

Definition 4 (Frame) . A frame is a list of multisets. The empty frame is de- 
noted by the constant nil, while A :: II denotes the frame obtained by concate- 
nating the multiset A and the frame 77. 

In order to formulate a frame-based lazy proof system, we need to define the 
following relations on frames: 

Definition 5 (Frame Equality). The equality on frames is recursively defined 
upon the equality of multisets as follows: 

1. nil = nil 

2. Ai :: 77i = ZI 2 :: II 2 -O {Ai = A 2 ) A (77i = H 2 ) 

Definition 6 (Inclusion Relation, C). The inclusion relation on frames is 
recursively defined upon the inclusion relation on multisets as follows: 

1. nil C nil 

2. Ai :: 77i C A 2 :: II 2 ^ i^i Q ■^z) A (77i C II 2 ) 
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Definition 7 (Frame Insert Operator, <). Given a frame U and a formula 
F, n < F denotes a frame obtained by inserting one occurrence of F into a 
multiset of the frame II. 

Definition 8 (Frame Union, U). Given two frames, their union frame is de- 
fined upon the multiset union tt) as follows: 

1 . nil U nil =de/ nil 

2. Ai :: Hi U A 2 " II 2 =def (Ai W A 2 ) :: (I7i LI II 2 ) 

Definition 9 (Frame Multiset Difference, — ). Given two frames, their mul- 
tiset difference is the multiset defined as follows: 

1. nil — nil =def 0 

2. Ai :: II\ — A2 II2 =def (^i\ 4 l 2 ) W {II\ ~ ^2) 

where \ denotes the multiset difference. 

Figure 3 shows the CC proof system. The sequents of this system have the 
form 

^■,A,n ^G f n'-,d and ^;A-,n^Gin'-,d 

where II and 77' are frames, and the rest of the components are defined as in 
section 4. Most of the lazy rules are obtained by a straightforward application 
of the ideas presented in sections 3 and 4. The main novelty is in the CC ®d -R 
and CC -o<j -L rules, where the frames are effectively used to preserve the scope 
of the formulae. 

Soundness and Completeness The CC lazy proof system in Fig. 3 is logically 
equivalent to the C proof system in Fig. 1. The correctness and completeness the- 
orems are stated below. Formal proofs for a frame-based resource management 
system for Forum [10, 11] - an asynchronous multiple-conclusion presentation of 
higher order linear logic - are available [9j. The inclusion proposition states an 
importzmt property of CC] namely, scope of formulae is preserved. 

Proposition 1 (Inclusion). The output is a subframe of the returnable input: 



1. 7/<F;Zl;77 — / 77';d thenH'Qn 

2. If^]A]H ^G I n']dthenn'nn 

In the following results, we refer to either CC or C proof systems depending 
on the aspect of the involved sequent. 

Theorem 1 (Soundness). CC is sound with respect to C; that is, for all A': 

1. If'F]A]n —^G ! 77'; 0 then T']A\ii{n-n')-^G 

2. If^]A]H -^G / 77';0 then ^]A\i) - H’) G 

3. If^]A]n ^G / 77';1 then W (77 - 77') W 4' — »■ G 
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— >T / n,i 



££T-R 






^;A-,n — vGi//7';0 4 tt) (/7 - 



► 1 / 77; 0 
■ G 2 I nil; d 



££1-R 



*\A-,n 



*;A-,n — yGiicGi / R';0 
Gi/77';i *-,A\^{n - n'y.n' 



CC &0 -R 



G 2 / n"-,d 



<P;0;nil 



*-,A-,n 
■ G / nil; d 



-CC !-R 



iP; 0; 77 — ►! G / 77; 0 

Am {D}; 77 — >■ G / 77'; d 



Gi &G 2 / n»-,d 

^,A,n — » Gi / 77'; d 
77 — ^ Gi © Ga / 77' ; d 



££ &i -R 



CC ®-R (i = 1,2) 



CC -o-R 



iPU{D};,d;77 — G / n',d 
^■,A,n — >D-oGln'-,d ■" >P;A;n — >D=>G/n'-,d 

*-,lll-,A n — ► Gi / A' 77';0 ^\A'-,n' — ► Gj / 77";<i 



CC => -R 



<P-,A-,n — > Gi 8 Gj / W'id 
0';0;4 n Gi / A' 77'; 1 »;0;,d' :: 77' — > Ga / :: 77";d 

<I'-,A-,n — V G, 8 Ga / 77"; 1 



££ 80 -R 

CC 81 -R 



*-,A;n G[t/*1 / 77';d 

*;A-,n —* 3x.G / 77'; d 



££3-R 



0>;2l;77 — » G[y/i] / 77';d 
!P;4;77 — t- Vi.G / 77'; d 



£CV-R 



\P U {D}; 4; 77 A A j n' ,d 
!PU{G};,d;77 — \ A j n<-,d 



CC decide tP 



*;A-,n A / n' -,d 
!P; 4 «{£>}; 77 — ► A j n';d 



££ decide 2l 



*,A-,n — \ A ! n'\d 



9-,A-,n<D 



'££ decide 77 



A ! TV ,d 
££ initial 



■ 



jp;^;77 A / n ',d 
!P; 4; 77 A / n'-,d 



££V-L 



A / n -,0 
*-,A-,n 



A f n' -,d 



9 , A; n A I W\d 



CC &-L(i= 1,2) 



^;A-,n — yA/n'-,di jp;0;nil — > G / nil; da 
*-,A-,n°^ A / 77'; di 



CC => -L 



IP; 0 ;^ :: n A j A' 77';0 *\A'-,n' — > G / 77";d 
*,A,n°^ A / n"\d 



CfCt ~^o 



:: 77 A ! A' :: 77^1 :: 77^ — V G / A” :: 77";d 



<P-,A-,n°^ A / 77"; 1 



CC -Oi -L 



Fig. 3. Lolli proof system CC 
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4 . If^;A;n^G/ i7'; 1 then <?; W (77 - 77') W /i' A G 

This result establishes a mapping between CC aud £ proofs. Basically, a CC 
proof is mapped into a £ proof receiving the portion of the returnable input 
which is actually consumed 77 — 77'. In addition, if the ££ proof sets the discard 
to 1, then the £ proof can be obtained even if arbitrary resources A' were 
considered. 

Theorem 2 (Completeness). ££ is complete with respect to £; that is, for 
all 77 and d = 0 V d = 1 : 

7 . If<^]A-^G then A-,n G / n-,d 
2. If^^A^G then9-A-,n -^G / n-,d 

The completeness theorem states that every £ proof is mapped into a ££ 
proof where all of the additional returnable input 77 is simply returned. 

Estimating the cost of the CC rules. In order to estimate the cost of a direct 
implementation of the ££ rules there is an important detail it is worth noting. 
The output context does not encode any consumption constraint as in the Hodas- 
Miller method; but it is conceived as a means of transferring unused returnable 
input from a given subproof to another one. This means that the output remains 
unknown while a branch of the proof is being constructed. In fact, the lazy 
sequent rules of ££ can be classified into three groups with respect to the way 
they cope with output contexts; namely, the transferring rules, the propagating 
rules and the splitting rules. The transferring rules ££ T -R, ££ 1-R, ££ ! -R, 
and ££ initial transfer returnable input to the output. Note that this transfer 
can be efficiently done in (9(1); which is the cost of these rules. The propagating 
rules simply propagate the output from the premises to the conclusion; that is, 
the cost of ££ © -R, ££ -o -R, CC -R, CC 3-R, CC V-R, CC V-L, CC & -L, 
CC => -L, and the decide rules is 0(1) as well. The splitting rules CC <8>d-R £ind 
CC -Orf -L take advantage of the frame structure, and are the maun contribution 
of the CC proof system. Notice that these rules manipulate the frame as a stack: 
the left premise pushes the non-returnable input A onto the frame, while the 
right subproof pops CC from the frame. Both operations are clearly 0(1), and 
hence, the overall cost of the splitting rules is 0(1). This way, the frame structure 
allows encoding and restoring the scope of the formulae at a minimal cost. 

Again, the CC &Cd -R rule constitutes a special case. While at first sight 
it seems to be a propagating rule, it does incur in a higher cost due to the 
optimization presented in section 4. Note that the left premise of this rule receives 
Z\W(77 — 77') as non-returnable input. The multiset union can be implemented at 
cost 0(1) since we do not need to collapse its elements; but the frame difference 
requires traversing the frames. Therefore, the cost of this rule is 0(n); i.e., it is 
proportional to the size of the frames involved. This cost seems to be unavoidable: 
the non-optimized & — 7? rule is 0(n) as well, since it compares the output 
contexts of both premises. On the other hand, the optimized rule removes a 
source of non-determinism, as it enforces the consumption of the formulae. As 
the rest of the CC rules are 0(1), we consider our CC system to be optimal. 
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5.3 The 'R.M.Z Proof System: The Labelled Set Approach 

The TtMZ for Lolli was proposed by Cervesato et al. in [2]. This system intro- 
duced an elegant notation for the sequents and the rules. In particular, it ex- 
plicitly distinguishes non-returnable and returnable input contexts. The system 
also replaces the left rules by a resolution calculus which translates a program 
formula into a goal one. 

The TZM3 system represents contexts as labelled sets. A labelled set is for- 
mally defined as follows: 

Definition 10 (Labelled Set). A labelled set is a set such that each element 
has a unique label attached to it. 

The TZMS system can be described in terms of sequents of the form 

-^G / n';d 

where !P, A, II, and II' are labelled sets of formulae. The intended reading 
is the usual one. It is worth noting that the use of labels in 7ZM3 is not an 
implementation detail. On the contrary, these labels are required to ensure the 
soundness and completeness of the system. 

Apart from the resolution calculus, the only difference between TIM 3 and 
££ is the splitting <8» - iZ rule. The rest of the right rules of ££ system are 
isomorphic to the rules of 7ZM3^. Hence, the cost of these 'R.M3 rules is equal 
to the cost of the corresponding ££ rules: 0(n) for & — iZ and 0(1) for the rest. 
The — iZ rules of the TZM3 system are as follows: 

!f;0;AWi7 — > Gi / /7';0 «?; An 17'; 77 n 17' Gz / 17";d 
^■,A,n ^Gi®Gi / n'-,d 

!?;0;AlUl7— 4 Gi / 17';1 W Gz / n"-,d 
y^;A;17— ^GiOGz /17nl7';l 

Note that a labelled set does not provide structure to encode the scope of the 
formulae it contains. Therefore, to restore the formulae on the appropriate scope, 
an intersection operation is required. This involves traversing the labelled sets 
being intersected; and hence, the rules above are 0(n); i.e., their cost is propor- 
tional to the cardinal of the labelled sets involved. The same cost arises for the 
absent ~o — L rule, since each occurrence of this connective is translated to a 
0 — IZ by the resolution calculus. 

The cost incurred by these two connectives is crucial for the overall perfor- 
mance of a practical implementation of Lolli, since these connectives are widely 
employed. In particular, 0 usually occurs deeply nested. This is evidenced by 
the concrete syntax of Lolli, which employs : - for -o and , (comma) for 0. 

^ However, we first discovered and applied the frame approach to the Lygon lazy 
splitting system [13], and then to the TIMS system 
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6 Conclusions and Further Work 

It is well-known that lazy splitting strongly improves the performance of the 
implementation of any linear logic language or theorem prover involving context 
splitting. In this paper, we have shown that the structure employed to represent 
contexts is crucial for the efficiency of lazy splitting as well. In particular, we 
have introduced a new data structure we call frame to represent contexts, which 
encodes the scope of the formulae both effectively and efficiently. We have also 
shown that, except for the Sz — R rule, it is possible to reduce the cost of all of the 
rules to 0(1), excluding the cost of unification and clause selection incurred by 
the typical implementation of the decide rules. To the best of our knowledge, CC 
is the only resource management system featuring this performance. According 
to the results obtained, we think the CC resource management is optimal. We 
have applied our frame approach to Forum [11] and implemented UMA Forum 
(available from http:\\www.lcc.mna.es\''lopez\mnaforum), a prototype inter- 
preter of a subset of first order Forum. This implementation employs a single 
data structure to store the logic program (i.e., the !F, A, and II contexts) in 
such a way that the order of the clauses is preserved. Whereas this is irrelevant 
from the point of view of automated theorem proving, it endows a logic program- 
ming language with a predictable behavior. Given the capability of linear logic 
to express concurrency, we intend to develop a parallel version of our resource 
m 2 inagement system. 
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Abstract. Linear Logic [4] has raised a lot of interest in computer re- 
search, especially because of its resource sensitive nature. One line of 
research studies proof construction procedures and their interpretation 
as computationad models, in the “Logic Programming” tradition. An 
efficient proof search procedure, based on a proof normalization result 
called “Focusing”, has been described in [2]. Focusing is described in 
terms of the sequent system of commutative Linear Logic, which it re- 
fines in two steps. It is shown here that Focusing cam also be interpreted 
in the proof-net formalism, where it appears, at least in the multiplica- 
tive fragment, to be a simple refinement of the “Splitting lemma” for 
proof-nets. This chamge of perspective allows to generalize the Focusing 
result to (the multiplicative fragment of) any logic where the “Splitting 
lemma” holds. This is, in particular, the catse of the Non-Commutative 
logic of [1], and all the computationad exploitation of Focusing which 
has been performed in the commutative caise cam thus be revised amd 
adapted to the non commutative caise. 



1 Introduction 

Linear Logic [4] has raised a lot of interest in computer research, especially be- 
cause of its resource sensitive nature. One line of research, supported by systems 
such as LO [3], Lambda-Prolog [8], Forum [9] or Lolli [7], studies proof construc- 
tion procedures and their interpretation as computational models, in the “Logic 
Programming” tradition. An efficient proof-semch procedure for Linear Logic, 
based on a proof normalization result called “Focusing”, has been described 
in [2]. Focusing is described there in terms of the sequent system of (commu- 
tative) Linear Logic, which it refines in two steps (“Dyadic”, resp. “Triadic” 
system). Basically, each refinement eliminates redundancies in proof-search due 

* This work was performed while the second author was visiting XRCE; this visit was 
supported by the Europesm TMR ( Training and Mobility for Researchers) Network 
“Linear Logic in Computer Science” (esp. the Rome and Marseille sites, XRCE being 
attEiched to the latter). 
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to irrelevant sequentializations of inference figures in the sequent-based repre- 
sentation of proofs. The expressive power of Focusing is captured in a crisp way 
in a fully representative fragment of Linear Logic, called “LinLog” , introduced 
in [2] together with a normalization procedure from Linear Logic to LinLog. 
This procedure allows to represent in LinLog all the fragments considered in the 
various systems mentioned above. 

It is shown here that Focusing can also be interpreted in the proof-net for- 
malism, where it appears, at least in the multiplicative fragment, to be a simple 
refinement of the “Splitting lemma” for proof-nets. The Splitting lemma is at 
the core of the Sequentialization procedures for proof-nets, and Focusing thus 
appears as a sequentialization strategy. This chcmge of perspective allows to gen- 
eralize the Focusing result to (the multiplicative fragment of) any logic where the 
“Splitting lemma” holds. This is, in particular, the case of the Non-Commutative 
logic of [1], and all the computational exploitation of Focusing which has been 
performed in the commutative case can thus be revised and adapted to the non 
commutative case. The expected outcome of such a program is a finer model of 
computational resources and agent-based coordination of these resources. 

But beyond the technical results, the aim of this paper is to show that Fo- 
cusing is not limited to a technique adapted to the specific problem of compu- 
tational proof search, although that was its original motivation (in the line of 
uniform proofs for Intuitionistic Logic [10]). Focusing is an intrinsic property 
of resource-conscious logics which admit an involutive duality. It captures in a 
single framework the quite straightforward and well-known property of “invert- 
ibility” of some connectives (called “asynchronous” or negative) together with 
the not-so- well-known dual of this property which applies to the dual connectives 
(called “synchronous” or positive), through so-called “critical focusing sections”. 
Focusing, just as Cut-elimination, is a purely logical property, and it is not sur- 
prising that it appears under different forms in different contexts, for instance in 
sequent systems (through seaurch procedures), or in proof-nets (through sequen- 
tialization), or even in the more ambitious prograim of reformulation of Logic 
known as “Ludics” [5,6]. 

Section 2 recalls prior art and notations exploited in this paper. Section 3 
describes the maiin result of this paper, i.e. a reformulation of Focusing in terms 
of proof-nets and its application to Non-commutative logic. 

2 Notations and Prior Art 

2.1 Notations 

We consider here the multiplicative fragment of Linear Logic (resp. Non-com- 
mutative Logic). The connectives are split into two categories: 

— Asynchronous: ^ (par), and, in the Non-Commutative case, V (sequential) 

— Synchronous: (g) (times), and, in the Non-Commutative case, © (next) 

Fo^mul^le are built from a given class of atomic formulae using the above con- 
nective. A non atomic formula is said to be asynchronous (resp. synchronous) 
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if its top-most connective is asynchronous (resp. synchronous). We assume an 
involutive duality operation on atomic formulae, generalized to £ill the formulate 
using the traditional De Morgan laws: 

(A ^ B)-^ = {A® B)^ = B^^ A^ 

{AVB)-^ = B^ QA^ (AqB)-^ = B-^VA-^ 

Furthermore, we assume that the class of atomic formulae is split into two dual, 
disjoint subclasses, called the positive (resp. negative) atoms. 

2.2 Sequent Proofs and Focusing 



— Identity rules 



— Logical rules 



[ 1 ] 



I- F,F-L 



[C] 



I- F, F h /i, F-^ 
\-r,A 



l^] 



\-r,F,G 

\-r,F^G 



I- F, F A, G 
r,A,F®G 



Fig. 1. The standard sequent system of Multiplicative Linear Logic 



In the fragment of Linear Logic we consider, the stamdard sequent system is 
limited to the one shown in Figure 1. Sequents au:e simple multisets of formulae. 
Proofs axe obtadned by assembling in a connected way instances of the inference 
figures; the assembling is possible when the conclusion of an instance of inference 
figure is the premiss of another. The resulting structure is a tree labeled with 
sequents. 

Proof search in this system comes up agaunst two snags, identified in [2]: (i) 
two proofs can be equivalent up to some irrelevaint permutation of inference fig- 
ures; (m) two proofs can also be equivalent up to the presence of some “dummy” 
sub-proofs in which the premisses are adl identical and identical to the conclusion 
(such dummy sub- proofs cam simply be discarded). A proof seairch procedure 
should not maike costly non deterministic choices to distinguish between such 
pairs of equivalent proofs. 

The technique proposed in [2] to dead with these problems relies on a re- 
finement of the sequent system. This refinement satisfies the following main 
properties: 

- Each inference figure in the refined system is a combination of inference fig- 
ures of the initial one. Hence, eaich proof in the refined system corresponds 
straightforwaudly to a proof in the initial one. This mapping is called “trans- 
duction” . 
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— Eeich proof in the initial system is equivalent (modulo permutations of infer- 
ence figures and deletion of dummy sub-proofs, of the kind mentioned above) 
to a proof obtained by transduction of a proof in the refined system. 

In other words, proofs in the refined system fully represent proofs in the ini- 
tial system, except that the refined system does not distinguish between many 
equivalent proofs of the initial system, which differ only by irrelevant syntac- 
tical differences. Hence, proof search in the refined system yields basically the 
same proofs and proof constructions as in the initial system, but saves a lot of 
resources otherwise needed to manage irrelevant non-determinism in the proof 
search process. 



- LogicEil rules 

\-r-ftL,F,G l-rilF hZllIG 
l-r-(|-L,F5?G hF,ZlJl.F0G 

— Reaction '()■; if F is not asynchronous 



[«ftl 



i-r,FtiL 

l-F1IL,F 



- Reaction IJ.: if F is neither synchronous nor a positive atom 



[aw 



l-F(t-F 
h FD-F 



- Identity: if F is a positive atom 



h F-L II, F 



— Decision: if F is synchronous or a positive atom 



[O] 



i-riiF 

hr, Fit 



Fig. 2. The Focusing sequent system for Multiplicative Linear Logic 



In the fragment of logic we consider, the refined system described in [2] can be 
reduced to the one shown in Figure 2. It is called below the “Focusing” system. 
Focusing sequents are of two types: 

1. r it L where F is a multiset of non-asynchronous formulate and L an ordered 
list of formulae; 

2. r ij. F where F is a multiset of non-asynchronous formulae and F is a single 
formula (called the “focus”). 

The transduction of a Focusing inference figure simply “forgets” the structure of 
the Focusing sequents (i.e. F it L becomes F, L where the order in L is forgotten 
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and r i}. F becomes F, F). In the case of the logical and identity inference figures, 
transduction jdelds the corresponding inference figure in the initial system. The 
transduction of the other Focusing inference figures (Reactions and Decision) 
yields “dummy” inferences in which the premiss is identical to the conclusion 
(eliminated in the trcmsduction of a proof). 

For a discussion of the Focusing system and its computational interpretations 
in terms of proof search, consult [2]. Notice a slight difference in conventions 
w.r.t. [2]: here, the Identity rule can only be triggered by a positive atom in 
the focus (in .(1 sequents). In [2], negative atoms had this triggering role, but 
clearly, polarities are purely conventional, so this difference is only superficial. 
The Focusing system is justified by the following theorem (stated and proved 
in [2]): 

Theorem 1 (Andreoli 1992). Let F be a multiset of non- asynchronous for- 
mulae and L an ordered list of formulae. 

\- r,L if and only if h F it L 

More precisely, any proof of F, L in the standard sequent system can be mapped, 
by permutation of inferences and deletion of dummy sub-proofs, into (the trans- 
duction of) a proof of r ff- 1/ in the Focusing system. 

There is no straightforward way to map the demonstration of Theorem 1 
to the Non-Commutative case. The shape of the focusing sequents in this case 
is not obvious, and especially it is not clear how to combine the structuring of 
sequents brought by Focusing with that induced by non-commutativity. Hence 
the need to consider proof-nets, where the mapping between commutative and 
non-commutative proofs is more strcdghtforwaid. 



2.3 Proof-Nets and Splitting 



Proof-nets have been designed in an attempt to abstract away the inessential 
sequentializations inherent in the syntax of sequent systems. Proof-nets are de- 
fined in two steps. First, proof structures are defined as simple constructions 
made of nodes and links. Each node is labeled by a single formula. Links are 
instances of the following prototypes: 




Identity Cut 



A BA B 




Al?B A®B 



In assembling nodes and links in a proof structure, the following purely syn- 
tactical conditions must be respected: (i) each node is attached to exactly one 
conclusion of a link and at most one premiss; (ii) no two different nodes can be 
attached to the same premiss or conclusion of a link; {in) the overall structure 
is connected. The conclusions of a proof structure axe the nodes which are not 
attached to the premiss of any link. 
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Proof-nets are proof structures which satisfy a certain correctness criterion. 
Several equivalent criterions have been proposed in the literature. We use here 
the criterion based on switching positions and paths; each node in a proof- 
structure is labeled by a formula, but is also decorated by two “gates” (written 
t and 4 .); a switching position for a link is an undirected graph between the gates 
of its premiss and conclusion nodes, of one of the following types (dashed lines): 




I V I 1 V I 

tA’SBl tA®Bl 



Right switches (Lei^ switches are synunetric) 



The “no short-path” criterion [4] states; 

A proof-net is a proof-structure such that for any choice of a switching 
position for each of its links, the undirected graph induced between its 
gates, completed by edges A t, A 4- for each conclusion A, contains a 
single circuit which goes through all the gates of the proof structure. 

Furthermore, we make two technical assumptions, justified by our proof search 
orientation, and which cost no generality: 

— The identity link is restricted to atomic formulae only: any identity link 
with non atomic formulae can be reduced in a straightforward way to atomic 
identities. 

— The cut link is not used; we make use here of the well known cut-elimination 
result on proof-nets, proved in [4]. 

Any sequent proof /3 can straightforwardly be mapped into a proof structure 
/?* such that the multiset of conclusions of is exactly the conclusion sequent 
of 0. The equivalence between sequent proofs and proof-nets is precisely given 
by the following theorem (stated and proved in [4]): 

Theorem 2 (Girard 1987). Equivalence between proof-nets and sequent proofs. 

— Let ^ be a sequent proof. Then 13* is a proof-net. 

— Let 7T be a proof-net. Then there exists a sequent proof ^ such that = tt. 

The first statement of the theorem is straightforward. The second one relies 
essentially on the following “Splitting lemma”, which we detail here since it is 
essential to our purpose. 

Definition 1 . Let n be a proof-net and F be one of its synchronous conclusions, 
F is splitting for ir, and we write F € split(Tr) if and only if tt consists of two 
proof nets nA, plus a synchronous link the premisses of which are conclusions 
of, resp., tta and ns, and the conclusion of which is labeled with F. 

The Splitting lemma (stated and proved in [4]) expresses that, under some con- 
ditions, a proof-net can always be split in the sense of the above definition. 
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4I 



( 2 ) 



I ‘ L , ' 

1 b \ ! r 

r(3). 

a <8) J '^c 



d ® b 



a 0 b-^0 c 



(I) 



' c 



1 



Fig. 3. A sample proof-net and a possible split 



Theorem 3. Let ir be a proof-net that contains no asynchronous conclusion and 
at least one synchronous conclusion. Then split(Tr) ^ 0 

An example of split proof-net is given in Figure 3. The split formula in this case 
is a b-*- (g| c. It is easy to check that the two sub-proof-structures obtained by 
splitting the net at this conclusion are indeed proof-nets. Notice that there is 
another splitting conclusion, namely d(S>b. 



2.4 The Non-commutative Case 



Non-Commutative logic, introduced in [1], is a refinement of the commutative 
case in terms of proof-nets. Two new link types are added (notice here that the 
premisses are directed), with associated switching positions; 



A B 




AVB 



A B 




A®B 




I V 1 

tAVBl 



Right 




tAVBl 

Left 




t V I 
tAVBl 




I V I 

tA®Bl 



V3 



Right only 



The criterion for proof-net correctness is extended to the non commutative ver- 
sions of the connectives. A straightforward mapping between non-commutative 
proof structures and commutative ones is defined by; given a non commutative 
proof structure tt, we build the corresponding commutative proof structure ir° 
by replacing in tt the occurrences of non-commutative connectives and links by 
their corresponding commutative version (i.e. V and 0 ®). We then have 

the following theorem (stated and proved in [1]); 
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Theorem 4 (Abrusci-Ruet 1998). Let t: be a non-commutative proof struc- 
ture. 7T is a (non-commutative) proof-net if and only if 

- 7T° is a (commutative) proof-net; 

- For every 'VS- free switching for n, the inner parts of V -links in the induced 
cycle contain no conclusions and do not overlap. 

This central theorem allows us to map proof net properties, in particular, as we 
will see below. Focusing, from the commutative case to the non-commutative 
one. For a precise definition of “inner parts” of V-links and their “overlapping”, 
please refer to [1]. 

3 Focusing with Proof-Nets 

Informally, the main point of this section is to express focusing as a refinement of 
Theorem 3. This theorem states that whenever a proof-net contains no asynchro- 
nous conclusion and at least one synchronous conclusion, there exists a splitting 
synchronous conclusion. The main refinement we introduce is that the splitting 
conclusion can be chosen in such a way that each of its premisses, if it is synchro- 
nous, is itself a splitting conclusion for the sub-proof-net obtained by splitting. 
Focusing thus appears as a “hereditary” version of Splitting. 



3.1 Focusing Conclusions 

In Linear Logic, the sequentialization of a proof-net proceeds by induction on the 
size of the proof-net. At each induction steps, there Eire three cases to consider: 

- If the proof-net contains an asynchronous conclusion, then 

1. remove the corresponding link; 

2. recursively apply sequentialization to the remauning proof-net; 

3. complete the sequent proof obtained with the corresponding asynchro- 
nous inference figure. 

- If the proof-net contains no asynchronous conclusion but at least one syn- 
chronous conclusion, then 

1. use Theorem 3 to choose a splitting synchronous conclusion, and split 
the proof-net at this formula into two sub-proof-nets; 

2. recursively apply sequentialization to each of these sub-proof-nets; 

3. combine the resulting sequent proofs with the corresponding synchronous 
inference figure. 

- If the proof-net contains neither synchronous nor asynchronous conclusions, 
i.e. it must be an instance of the identity link, Eind its sequentialization is 
reduced to the identity axiom [I]. 

This procedure yields a sequent proof the conclusion of which is the sequent made 
of the multiset of conclusions of the initial proof-net. However, the resulting proof 
may not be a focusing proof. For example, the sequentialization of the proof-net 
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of Figure 3 , where the conclusions are numbered according to the order in which 
they are chosen for splitting, yields the following sequent proof: 






[I] 



h d-*-, d 



[® 3 ] 



F 6-*-, & ^ ^ h a, a-*- 

F 6, Q-‘-,g (8) b-^ 



F d-*-, d ® 6, a-*-, o 0 b-^ 
I- d-L d ^ A ~ 



[I] 



F c, c-^ 



This proof is not focusing (i.e. it cannot be obtained as the transduction of a 
proof in the Focusing system). Indeed, the inference figure [0i] decomposes the 
synchronous formula a 0 6-*- 0 c, but its synchronous sub-formula a 0 6-^ is not 
principal in the next inference figure [02], violating the “synchronous critical 
section” property of focusing proofs. To obtain a focused version of the above 
proof (assuming a, b, c, d are positive atomic), it is here sufficient to permute the 
inference figures [02] and [03]. Indeed, the proof thus obtained is the transduc- 
tion of the following proof in the Focusing system: 



F d^ (1 d F 6^ (1 b 
FdX,bXj^d0b 

Fa-Lj^g ‘ ^ Fd-L,d 06 (l&^ 

F d-*- , d 0 6, g-^ (I- Q 0 F c-*- (!■ c 

F d-*-,d0 6, o-‘-,c-‘- (1 g 0 b-*- 0 c 

FO d-‘-,d0 6,g-*-,g 0 6-*- 0 c, c-'- 



This focused proof could also have been obtained by sequentialization of the 
initial proof-net, using a different ordering in the choice of splitting conclusions, 
namely ( 1 - 3 - 2 ): 

g0 6-‘"0c , g0 6‘‘" , d06 



instead of ( 1 - 2 - 3 ): 



g0 6'^0c , d06 , g0 6'^ 



Thus, Focusing basically appears as a strategy in the choice of the splitting 
formula allowed by Theorem 3 in the Sequentialization procedure. More pre- 
cisely, Focusing expresses that in the conditions of Theorem 3 , not only the set 
of splitting conclusions is not empty, but its subset, consisting of the “focus- 
ing” conclusions, defined below, is also non-empty. Sequentialization will yield 
a focusing proof if, at each choice of a splitting conclusion in the procedure, 
a focusing conclusion is selected. The set of focusing conclusions of a net is 
inductively defined as follows: 



Definition 2 . Let n be a proof-net and F be one of its conclusions. F is focusing 
for 7T, and we write F £ f oc(7t) if and only if one of the following two conditions 
holds: 



1 . F is a positive atom and tt is reduced to an axiom link. 

2 . F £ split(Tr) and tt ts split at F (with subformulae A and B) into two 
sub-proof-nets IT A, itb and 
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— A is asynchronous or a negative atom or A ^ f oc(7T4) 

- B is asynchronous or a negative atom or B € f oc(7Tb) 

From this definition, it is clear that for a proof-net (not reduced to an ajciom 
link), the set of focusing formulae is a subset of the set of splitting formulae. 

foc(7r) C split(Tr) 

Notice however that, unlike splitting, our definition of focusing also applies to 
proof-nets reduced to the axiom link. This is essential and allows to capture the 
particular role of polarities in Focusing, which is fully exploited in LinLog, the 
normalization procedure for Linear Logic [2]. 



3.2 The Focusing Theorem 

The following theorem is shown in Appendix A. 2. 

Theorem 5. Let be a proof-net containing no asynchronous conclusion. Then 
foc(7r) ^ 0. 

Thus, Focusing appears as a refinement of Splitting. It expresses a form of “hered- 
itary” Splitting, and, in addition, allows a form of control of the hereditary split- 
ting sequences by the polarities of the atoms found at the end of each sequence (if 
any). We can now make more precise the view of Focusing as a Splitting strategy 
in the Sequentialization procedure, illustrated above. For technical reasons, we 
assume that any proof-net is equipped with a tot 2 il ordering of its conclusions, 
which can be straightforwardly expanded to all its nodes in such a way that (i) 
the lowest of two subformulae of the same conclusion is the “left-most, outer- 
most” in the tree representation of that conclusion^, eind (ii) the subformulae of 
different conclusions are in the same order as these conclusions. The ordering of 
the conclusions can be completely arbitrary; its extension to all the nodes of the 
proof-net is uniquely defined and induces an ordering of the conclusions for all 
the sub-proof-nets of the initial one. The ordering is only used here to capture 
arbitrary choices in the Sequentialization procedure (it has nothing to do with 
the ordering induced by non-commutativity). Let’s enforce that, 

— at each choice of an asynchronous conclusion for decomposition in the Se- 
quentialization procedure, the highest (w.r.t. node ordering) asynchronous 
conclusion is selected; 

— at Ceich choice of a synchronous conclusion for decomposition in the Sequen- 
tialization procedure (when no asynchronous conclusion exist), the highest 
(w.r.t. node ordering) focusing conclusion is selected. 

Then, the following property can easily be shown by induction on the size of the 
proof- net: 

^ By convention, a formula is “outer” than its own sub-formulae, and in a formula 
F c G — where c is any connective — the subformulae of F are “on the left” of 
those of G. 
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Let TT be a proof-net and L be the (ordered) list of its conclusions. Then 
the sequentialization of tt is (a transduction of) a Focusing proof of f-D L. 

The induction works on this property together with the following one: 

Let TT be a proof-net with no asynchronous conclusion cind at least one 
synchronous one (hence at least one focusing conclusion). Then the se- 
quentialization of TT is (a transduction of) a Focusing proof of a sequent 
of the form I- T JJ. F where F is the highest focusing conclusion of tt. 

A careful einalysis of the proof of Theorem 5 shows that it relies on two basic 
features; (i) the Splitting lemma and (it) the partition of compound formulae 
between asynchronous and synchronous formulae, completed by the partition 
of atomic formulae between positive and negative atoms. The Splitting lemma 
itself has been reformulated in terms of the asynchronous/synchronous duality 
in Theorem 3. In fact, the proof of Theorem 5 also makes use of an implicit 
property (a “Merging” property, the proof of which is quite straightforward): 

Let be two proof-nets. Then the proof structure obtmned by 

assembling tta, ttb plus a synchronous link the premisses of which are 
conclusions of, resp., t^a and ttb, is a proof net. 

Consequently, Focusing applies to any logic where 

— the synchronous/ asynchronous ducility holds, and 

- the (reformulated version of the) Splitting lemma (and Merging property) 
hold. 

This is the case, for instance, of Multiplicative Non-commutative Logic, as shown 
in Appendix A.3 (for the Splitting lemma) and Appendix A.4 (for Merging) using 
only Theorem 4. Therefore, Theorem 5 also holds in this Non-commutative Logic. 
On the other hand, Theorem 5 does not apply to other logics where the Splitting 
lemma and the asynchronous/synchronous duality do not hold, such as Pomset 
logic [11] (the connective < is neither synchronous nor asynchronous). 

The link between commutative cuid non-commutative proof-nets, captured by 
Theorem 4, and the exact emalogy of the Focusing property in the commutative 
and non commutative cases, show that 

Theorem 6. Let n be a non-commutative proof-net. 

foc(7T°) = (foc(7r))° 

In particulau:, this means that, in terms of proof search, the synchronous/ asyn- 
chronous duality does not distinguish between the commutative and non-com- 
mutative cases. 
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4 Conclusion and Future Work 

We have shown here that Focusing can be expressed in terms of proof-nets, 
when restricted to the multiplicative fragment of Linear Logic. The only prop- 
erty which is used in the demonstration of this result is the “Splitting lemma” , 
reformulated in terms of the “asynchronous/synchronous” duality of the con- 
nectives. Consequently, the result can be generalized to any logic where this 
property holds, and in particular Non-commutative Logic. 

But the sequent system version of Focusing, presented in [2] has the interest- 
ing property that it applies to whole Linear Logic, not just its multiplicative frag- 
ment. Indeed, the deep symmetry captured by the synchronous/asynchronous 
duality extends straightforwardly to additive connectives, and even, to some ex- 
tent, to the exponentials, although, in the latter case, the asynchronous behavior 
of ? and the synchronous behavior of ! appear only in the “dyadic” sequent sys- 
tem, with some adjustments with respect to the other connectives. 

As future work, we intend to re-formulate the Focusing result, obtained here 
in terms of multiplicative Non-commutative proof-nets, in the sequent system of 
the whole Non-commutative logic, and thus achieve the same kind of efficiency 
in proof search as in the commutative case. This can be done in three steps; 

— First, we have to state the Focusing result in the multiplicative fragment of 
the Non-commutative sequent system. The only difficulty here is to choose 
the most appropriate representation for Non-commutative sequents (either 
with order-varieties or through explicit rules of “See-saw” and “Entropy” - 
see [12], which shows the equivalence of the two approaches). 

— Then, we have to introduce the additive connectives. Their behavior is a 
priori orthogonal to non-commutativity, since removal of the Exchange rule 
does not affect their commutativity, but we must check that Focusing extends 
as straightforwardly to the additives as in the commutative case. 

— Finally, introducing the exponentials should not cause any major problem: a 
similar approach to that taken in the commutative case should work, where 
unbounded formulae are placed in an “extra-territorial area”^ and can at 
any time be materialized at any location (in [2], this cirea is represented in 
Focusing sequents by an additional field separated by 

However, we expect to go beyond this result, and, by analysing thoroughly 
the invertibility and permutability of inference figures in the Non-commutative 
case, to achieve a form of proof search optimization which goes beyond the 
synchronous/asynchronous duality and exploits the specific features of Non- 
commutativity (Theorem 6 shows that this duality does not distinguish between 
the commutative and non-commutative cases). In particular, the See-saw and 
Entropy rules present interesting invertibility properties which cire essential to 
help deciding when to allow them in a Focusing system, preserving the com- 
pleteness of Focusing while minimizing the intrinsic non-determinism they carry 

^ This expression was originally coined by Jean- Yves Girard, at the Frascati work- 
shop [6] 
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(reminiscent of the treatment of Weakening and Contraction with Decision rules 
in the commutative case). 

Ultimately, we seek to obtain for Non-commutative Logic a “normal form” 
analogous to LinLog for Linear Logic, which captures in a restricted, “logic- 
programming” -like syntax the whole power of Focusing. 
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A Demonstrations 

A.l A Focusing Lemma 
We first prove the following lemma. 

Lemma 1. Let n be a proof-net with no asynchronous conclusion, and S = 
A® B be a splitting formula of tt. Let haiT^b he the two proof nets obtained by 
splitting tt at S. If A is not a negative atom, then 

f oc(7T>i) \ {A} C f oc(7t) 

(and similarly for the B side) 

Demonstration : We proceed by induction on the size of tt. Let F 6 f oc(7r>i) \ 
{A}. Since F is focusing in tta, there are two cases to consider: 

F is a positive atom , and tta is reduced to an axiom link, with conclusions 
F and F-^, one of which being A. But: 

- By hypothesis, A is not a negative atom, hence A ^ F-^. 

- By hypothesis, F 6 foc{-KA) \ {A}, hence A^ F 
Contradiction. 

F is a splitting synchronous formula of tta , of the form C <^D and -ka is 
split at F into two sub-proof-nets such that 

[FI]: C is asynchronous or a negative atom or C € foc(Trc) 

[P2\: D is asynchronous or a negative atom or D € f oc(7rp) 




Fig. 4. Different ways of assembling the sub-proof-nets 



Since A is a conclusion of tva different from F and tta is split at F into ttc, ttd, 
then A must be in the conclusions of itc or of 7r£>. We assume, without loss 
of generality, that A is a conclusion of tt/? (other than D, obviously). Let tt' 
be the proof structure consisting of tt/j, ttb and the splitting link of tt at S 
(see Figure 4). It is not difficult to see that 
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[7?3]: 7t' is a proof-net split at S into tto and ttb; 

[7?4]: 7T is split at F into -kq and -n' . 

Since tt' is smaller (in size) than tt, we conclude, by the induction hypothesis 
applied to [7?3], that 

f oc(7T£)) \ {A} C f oc(7t') 

From this, and [R2] and D ^ A, we infer that 

[7?5]: D is asynchronous or a negative atom or D 6 f oc(7t') 

From [P.\] and [7?5] and [7?4], by application of Definition 2, we obtain that 
F e foc(7r). 

□ 



A. 2 The Focusing Theorem 

We make use of the previous lemma to show Theorem 5: 

Let 7T be a proof-net conteiining no asynchronous conclusion. Then f oc(7t) ^ 

0 . 

Demonstration : We proceed by contradiction. Let’s assume that there exists 
a proof-net tt containing no asynchronous conclusion and such that f oc(7t) = 0. 
We choose tt to be of minimal size. We consider two cases: 

Either TT has no synchronous conclusion , and, since it contains no asyn- 
chronous conclusion either, it must be reduced to the axiom link. But then, 
one of the two conclusions is a positive atom F, which, by Definition 2, is 
focusing for tt. Contradiction. 

Or TT does contain at least one synchronous conclusion , and, since it con- 
tains no asynchronous conclusion, by application of the Splitting lemma, we 
know that there exists a synchronous conclusion F of tt, of the form A (S>B, 
which splits tt into two sub-proof-nets tta and ns- 
Suppose that 

[7?1]: A is neither asynchronous nor a negative atom. 

— By construction, the conclusions of tia other than A are conclu- 
sions of TT (hence not asynchronous). Since A itself is not asyn- 
chronous by [PA], we infer that none of the conclusions of it a 
are asynchronous. Since •ka is strictly smaller than tt, which is 
a proof-net of minimal size without asynchronous nor focusing 
conclusions, we conclude that 
[P2]: foc(7T/i) 7^ 0 

— A is not a negative atom by [FI], hence, by application of Lemma 1, 
we have 

[F3j: foc(7T/i) \ {A} C foc(7r) 

Since f oc(7r) = 0, we conclude from [F3] that f oc(Tr^) C {A}, and, 
from [F2], we conclude that foc(7Tyi) = {A}. Hence A € foc(7Tyi). 

Thus, by discharging hypothesis [FI], we conclude 

[F4]: A is asynchronous or a negative atom or A € foc(Tr^) 
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By symmetry, we can equally prove that 

[7?5]: B is asynchronous or a negative atom oi B £ f oc(7tb) 

But, from [PA] and [7?5], by application of Definition 2, we have that F € 
foc(7r). Contradiction. 

□ 



A.3 The Splitting Lemma in Non-commutative Logic 

We have to show that the Splitting lemma applies to Non-commutative Logic. 

Let 7T be a non-commutative proof-net with no asynchronous conclu- 
sion and at least one synchronous one. Then there exists a synchronous 
conclusion F such that tt consists of two proof nets t^AiT^b plus a syn- 
chronous link the premisses of which are conclusions of, resp., tta and 
7 Tb, and the conclusion of which is labeled with F. 

Demonstration : Let tt be a non-commutative proof-net with no asynchronous 
conclusion and at least one synchronous one. Obviously, 7t° is a commutative 
proof-net with no asynchronous conclusion and at least one synchronous one, 
so is amenable to the commutative splitting lemma (Theorem 3). Hence, tt° 
consists of two proof nets plus a synchronous link the premisses of which 

axe conclusions of, resp., and ir'g, and the conclusion of which is labeled with 
F° . By construction of tt®, we have that (resp. z ' g ) is of the form (resp. 
TCg), and 7T consists of tt^, ttb plus a synchronous link the premisses of which are 
conclusions of, resp., -ka and ttb, and the conclusion of which is labeled with F. 
Therefore, all we have to check is that tta and ttb are non-commutative proof- 
nets (not just proof-structures). In fact, we have that tt^ and are commutative 
proof-nets, so, all we have to check is the condition on inner-parts of Theorem 4. 
Let sa (resp. sb) be a V3-free switching for -ha (resp. ttb). We can build a V3- 
free switching s for tt by assembling sa,sb and by choosing the Right switching 
for F (i.e. iZ® or fZ© depending on the top-most connective in F): 




Let Z be a V-link of ■kai and let’s assume its inner-part in sa{t^a) contains a 
conclusion C oi-KA- There are two cases to consider: 

— If C is different from A, then it is a conclusion of tt; hence the inner part of 
I in s(7t) also contains a conclusion of tt. Contradiction (by Theorem 4, since 
7T is a proof-net). 

- If C = A, then the inner part of I in sa{t^a) goes 
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In s(7t), the inner part of I becomes 

which contains the conclusion F of tt. Contradiction (by Theorem 4, since tt 
is a proof-net). 

Hence, the inner-part of a V-link of tta in sa{t^a) is the same as that in s(7t) and 
does not visit any conclusion of tta- Since inner-parts of V-links do not overlap 
in s(7t) (by Theorem 4), neither do they in sa(t^a)- D 

A. 4 The Merging Property 

We have to show the following property in Non-commutative Logic (in commu- 
tative logic, it is a straightforward consequence of the “no-short-trip” condition 
over proof-nets). 

Let tta, ttb be two non-commutative proof-nets. Then the proof structure 
obtained by assembling ttb plus a synchronous link the premisses of 
which are conclusions of, resp., tta and ttb, is a non-commutative proof 
net. 

Demonstration : Let ■ka^'^b be two non-commutative proof-nets and let tt be 
the proof structure obtained by assembling ita, t^b plus a synchronous link the 
premisses of which are conclusions A,B of, resp., it a and its- By Theorem 4, 
we know that and -Kg are commutative proof-nets, and hence, so is (by 
commutative Merging). Therefore, all we have to prove is that tt satisfies the 
criterion of Theorem 4 on inner-parts. Let s be a V3-free switching of tt and I be 
a V-link of tt. We can assume without loss of generality that Z is in txa ■ Let sa be 
the switching s restricted to ■ka- By Theorem 4, we have that the inner-part of 
I in sa{t^a) contains no conclusion of tt^i, and hence does not visit A. Hence the 
inner-part of I in s{k) is the same as that in s>i(7r>i). Therefore the inner-part 
of a V-link of tt in s(7t) is exactly its inner-part in the sub-proof-net {-ka or ttb) 
where it occurs. Consequently, since the condition of Theorem 4 holds in these 
sub-proof-nets, it also holds in tt (the non-overlapping condition is obvious if the 
two links belong to the two different sub-proof-nets). Hence tt is a proof-net. □ 
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Abstract. CHAT offers an alternative to SLG-WAM for implementing 
the suspension and resumption of consumers that tabling needs: unlike 
SLG-WAM, it does not use freeze registers nor a complicated trail to 
preserve their execution environments. CHAT also limits the amount of 
copying of CAT, which was previously put forward as amother aiterna^ 
tive to SLG-WAM. Although experimental results show that in practice 
CHAT is competitive with — if not better than — SLG-WAM, there re- 
mains the annoying fact that on contrived progrcims the original CHAT 
can be made arbitrarily worse than SLG-WAM, i.e. the original CHAT 
has an intrinsically higher complexity. In this paper we show how to over- 
come this problem, in particular, we deal with the two sources of higher 
complexity of CHAT: the repeated traversal of the choice point stack, 
and the lack of sufficient sharing of the trail. This is achieved without 
fundamentally changing the underlying principle of CHAT by a technique 
that manipulates a Prolog choice point so that it assumes temporeirily a 
different functionality and in a way that is trEinsparent to the underlying 
WAM. There is more potential use of this technique besides lowering 
the worst case complexity of CHAT: it leads to considering scheduling 
strategies that were not feasible before either in CHAT or in SLG-WAM. 
We tilso discuss extensively issues related to the implementation of the 
trciil in a tabled logic programming system. 



1 Introduction 

Tabling has by now been recognized as an important feature of logic program- 
ming systems. Indeed, a number of applications that were either beyond the 
reach or very difficult to tackle with conventional Prolog systems axe now possi- 
ble using tabled evaluation. Such application areas include, but are not limited 
to, verification using model checking [9], progr 2 im analysis [2], and logic-based 
databases [12]. Despite this increase in applicability of tabled implementations, 
for quite a long time, there seemed to be only one possible way of implementing 
the suspension/resumption mechanism that tabling requires in a logic program- 
ming system that was based on WAM. This mechanism is described in [11] as 
part of the SLG-WAM (the engine of the XSB system [12]) which also defines 

* A tight correspondence between alternatives for suspension/resumption in the WAM. 
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and gives alternative implementations for the other components of a tabled logic 
programming system, i.e. the tables themselves, the scheduling strategy, the ex- 
tension of the WAM instruction set and the mechanism for detecting completion. 
It is clear that the issues involved in the tables themselves are rather loosely cou- 
pled to the basic engine; i.e. whether one uses tries or not as data structures for 
tabling, does not affect the underlying WAM. So are issues related to the choice 
of the scheduling strategy [6], or whether completion detection is based on ex- 
act or approximate dependencies. On the other hand, the implementation of 
suspension/resumption as in SLG-WAM does affect the WAM, because of its 
introduction of a set of freeze registers and a forward trail. This compromises to 
a certain extent the efficiency of the underlying abstract machine, even for plain 
Prolog execution, but more importantly it does not allow for an easy adoption 
of the mechanism in an existing system. Finally, it is clear that even though the 
choice of a scheduling strategy can be orthogonal to the underlying LP engine, 
some strategies are disadvantaged or even impossible when a particular imple- 
mentation for suspension/resumption is fixed. So it is important to study sus- 
pension/resumption implementation models and their properties. [11] describes 
one implementation of suspension/resumption but no alternative is hinted at, 
because it was assumed at that time that “reasonable” (i.e. sufficiently efficient) 
alternatives did not exist. 

A first alternative implementation for suspension/resumption in tabling was 
offered by CAT [3] which stands for the Copying Approach to Tabling. The 
guiding principle of the design was that the underlying WAM should not be 
affected by the introduction of tabling and CAT achieved exactly that: starting 
from a WAM implementation, CAT implements suspension/resumption of con- 
sumers without affecting any part of the WAM. In particular, CAT employs the 
usual WAM trail and no freeze registers. The price to pay for this orthogonality 
is copying the state of consumers. Although copying has quite horrible worst 
cases, in practice CAT works quite well. But the high memory consumption of 
CAT (under certain scheduling strategies) was worrying and in [4] we have tried 
to remedy this by copying only data that could be reachable in forward execu- 
tion; i.e. not saving any data that will be garbage on resumption of a consumer. 
Although this lowers the space requirements of CAT, the worst case complexity 
of CAT remains unaffected. Thus, still not satisfied, we proposed in [5] another 
alternative, CHAT, which combines certain features of CAT with SLG-WAM, 
hence the H in its name which stands for Hybrid. In peirticular, heap and local 
stack are frozen without the need for freeze registers and the trail is partially and 
incrementally copied so that the WAM trail can be retained. CHAT considerably 
improves on CAT space wise and offers the same added flexibility of schedul- 
ing strategies as CAT. Still, in principle, the original CHAT has two sources of 
added complexity which can result in arbitrairily worse behavior of CHAT than 
SLG-WAM (see Section 3.3)^. Annoyed by this theoretical problem, in this pa- 
per, we give a detailed account on how to guareintee that CHAT will not perform 
arbitrarily worse than SLG-WAM. This is the main contribution of the paper: 



^ The SLG-WAM can also be arbitrarily worse sp£ice-wise them CHAT; see Section 8. 
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we show how without fundamentally changing the underlying principle of CHAT 
(i.e. still without changing the underlying WAM for Prolog execution), CHAT 
can be implemented in such a way that it performs no worse complexity-wise (in 
both time and space) than SLG-WAM. We also note, however, that in practice 
CHAT performs better than SLG-WAM. 

CHAT as in [5] is our starting point. We will improve on its incrementaJ 
copying of trail segments, so that the same sharing of trail between consumers 
is possible as in SLG-WAM, and on the installation of the equivalent of freeze 
registers in choice points which in CHAT leads to repeated traversal of the choice 
point stack. The improvement is based on a technique that modifies choice points 
dynamically and in a transparent way for the underlying abstract machine: on 
backtracking to the modified Prolog choice point, it performs the incremental 
copying task that was formerly reserved for generators and then continues with 
its original alternative. The technique of modifying choice points opens possibil- 
ities for new scheduling strategies in the context of tabling. We also believe that 
it is of interest outside the relatively small area of tabled LP implementations. 

In Section 2 we introduce notation used later in the paper. Section 3 briefly 
describes CHAT, certain aspects of the SLG-WAM, and gives examples that 
show the two sources of added complexity in plain CHAT. Section 4 shows how 
repeated traversal of the choice point stack at CHAT save time can be avoided. 
Section 5 shows how the same sharing of trail as in SLG-WAM is obtained and 
Section 6 shows how it is exploited by CHAT. Section 7 discusses details of the 
implementation of the trail in tabled logic programming systems. Section 8 makes 
an exhaustive comparison of the space complexity of CHAT and SLG-WAM. 

2 Notation and Terminology 

We assume familiarity with the WAM [14], SLG-WAM [11], and to some ex- 
tent with CHAT [5] due to space limitations However, some aspects of the 
SLG-WAM and CHAT which are cruciaJ for this paper Eire presented in Sec- 
tions 3.1 and 3.2. We assume a four stack WAM, i.e. an implementation with 
separate stacks for the choice points and the environments as in SICStus Prolog 
or in XSB; however, this is by no mcEuis essential for this paper or for CHAT 
(see [5]). We will also assume stacks to start from low addresses and to grow 
downwards; i.e. higher in the stack means older, lower in the stack (or more 
recent) means younger and a lEirger Eiddress value. 

We will use the following notation for WAM registers: H for top of heap 
pointer; TR for top of trail pointer; EB for top of local stack pointer; B for most 
recent choice point. Three different types of choice points axe used: Generator, 
Consumer or Prolog choice points and Eire identified by G, C or P respectively. 
The (relevant for this paper) fields of a choice point axe ALT, prevB, H, EB and 
TR: the next alternative, the previous choice point, the top of heap, local Emd 
trail stack respectively upon the creation of the choice point. For a choice point 
identified by e.g. P, these fields are denoted as P[ALT], P[prevB], P[H], etc. 

All relevEint papers are accessible at http://www.csd.uu.se/~kostis/Papers/. 
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In a tabled system, some predicates are designated as tabled by means of a 
declaration; all other predicates are non-tabled and are evaluated as in Prolog. 
The first occurrence of a tabled subgoal is termed a generator and uses resolution 
against the program clauses to derive answers for the subgoal. These answers are 
recorded in the table (for this subgoal). All other occurrences of identical (e.g. 
up to variance) subgoals are called consumers as they do not use the program 
clauses for deriving answers but they consume answers from this table. 

Implementation of tabling for non-deterministic languages is complicated by 
the fact that execution environments of consumers need to be retained until 
they have consumed all answers that the table associated with the generator 
will ever contain. To partly simplify and optimize tabled execution, implemen- 
tations of tabling try to determine completion of (generator) subgoals: i.e. when 
the evaluation has produced all their answers. This involves examining depen- 
dencies between subgoals and usually interacts with consumption of answers 
by consumers. The SLG-WAM has a particular stack-based way of determin- 
ing completion which is based on maintaining scheduling components; that is, 
sets of subgoals which are possibly inter-dependent. A scheduling component is 
uniquely determined by its leader: a (generator) subgoal Gl with the property 
that subgoals younger than Gl may depend on Gl, but Gl depends on no sub- 
goal older than itself. Obviously, leaders are not known beforehand and they 
might change in the course of a tabled evaluation. How leaders are maintained 
is an orthogonal issue beyond the scope of this paper; see [11] for more details. 
However, we note that besides determining completion, a leader of a scheduling 
component is usually® responsible for scheduling consumers of all subgoals that 
it leads to consume their answers. 



3 SLG-WAM, CHAT and their Complexity Difference 

3.1 Suspension/resumption in SLG-WAM: A brief description 

Tabling can be implemented by modifying the WAM to preserve execution en- 
vironments of consumers that suspend by freezing the WAM stacks, i.e. by not 
allowing backtracking to reclaim spEice in the stacks as is done in the WAM. 
The SLG-WAM employs a register-based freezing of the WAM stacks, i.e. the 
SLG-WAM adds an extra set of freeze registers to the WAM, one for each stack, 
and allocation of new information occurs below the frozen part of the stack. Sus- 
pension of a consumer is performed in the SLG-WAM by creating a consumer 
choice point, setting the freeze registers to point to the current top of the stacks, 
and upon exhausting all answers from the table fall back to the previous choice 
point by failing as in the WAM (i.e. undoing the variable bindings and restoring 
the WAM registers) but without reclaiming any space. Frozen space is reclaimed 
only upon determining completion of a scheduling component. 

® “usually” because this depends on the scheduling strategy; however, it holds for ^lll 
scheduling strategies of the XSB system. 
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Note that this method of freezing the stacks is a constant time operation. It 
does impose an overhead — even on plain Prolog execution — because allocation 
of new information on the stacks requires a comparison of the WAM register and 
the corresponding freeze register of the stack; but this overhead does not change 
the complexity of the abstract machine. 

To resume a suspended computation of a consumer, the SLG-WAM needs to 
have a mechanism to reconstitute its execution environment. Besides resetting 
the WAM registers (e.g. setting B to point to the consumer choice point), the 
variable bindings at the time of suspension have to be restored. This can be 
done using what is known as a forward trail [11, 15]. An entry in the forward 
trail consists of a reference cell, a value cell, and a back-pointer to the previous 
trail entry (see Fig. 1) as opposed to the regulcir WAM trail which consists of 
only the reference cell. Note that the trail back-pointer in the SLG-WAM reflects 
the fact that the trail stack is used to represent the tree of trails belonging to 
different computations. By following the back-pointer, parts of the trail that 



BackPtr 


Pointer to previous trail entry 


Value 


Value to which the variable was bound 


VarAddr 


Reference to (address of) the trailed Vciriable 



Fig. 1. Format of an SLG-WAM (Forw 2 ird) Trml Entry. 

are not part of the same computation are skipped (see below). Given this trail, 
restoring the execution environment EE of a consumer from a current execution 
environment EEc, is a matter of untrailing from EE^ to a common ancestor 
of EEc and EE, and then using values in the forward trail to reconstitute the 
environment of EE. The exact algorithm of this operation is presented in [11]. 

Agcdn, it is important to note the following: The forward trail adds a (time 
and space) overhead to both tabled Jind plain Prolog execution; however, this 
overhead is just a constaint factor. On the other hand, the SLG-WAM makes 

good use of the cost of its extended trail: in particulair, the 

back-pointers are used to minimize the cost of switching 
execution environments. Untrculing does not need to hap- 
pen up to a generator choice point; instead it is sufficient 
to untrail to any common ancestor of EEc E)E. In 
the XSB implementation of the SLG-WAM, this common 
ancestor is usually related to the nearest choice point; 

Section 7 elaborates more on this issue. The figure on 
the right gives a rough idea of the situation for the case 
of switching execution environments from Ci to Ca; the 
common ancestor is Pi. 

We finish this section by mentioning the design phi- 
losophy of the SLG-WAM: The eflidency of tabled execution is the prime goal. 
As a consequence, the basic operations of a tabled abstract machine were de- 
signed to have constant time (suspension through freezing) or lowest possible 
cost (resumption by exploiting shciring of tradl). The small overhead added to 
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some WAM operations is considered a reasonable price for making tabled exe- 
cution efficient. 



3.2 Suspension/resumption in CHAT: A brief description 



chat’s design philosophy is different: Introduction of tabling into a WAM-based 
system should leave the underlying WAM unchanged for (strictly) non-tabled 
execution. Naturally, CHAT tries to m^lke the suspension/resumption support 
for tabling as efficient as possible, but never by violating the above requirement. 

We describe the actions of CHAT through an example. Consider the following 
state of a WAM-based abstract machine for tabled evaluation; A generator G 
has already been encountered and a generator choice point has been created for 
it immediately below a (Prolog) choice point P. Then execution continued with 
some other non-tabled code and let us, without loss of generality, assume that 
two Prolog choice points Pi and Pa were created and then a consumer C was 
encountered, G is its generator and G is not completed at this point. Thus, a 
consumer choice point is created for C; see Fig. 2(a). The heap and the trail 
are shown segmented according to the H and TR values saved in choice points; 
the same segmentation is not shown for the local stack as it is a spaghetti stack; 
however the EB values of choice points are also shown by pointers. 




(a) Upon creation of a (b) After freezing: CPs (c) Upon reinstalling 

consumer choice point. adapted & CHAT copy. the CHAT area of C. 

Fig. 2. Stacks & CHAT £irea while executing under the origin^d CHAT implementation. 

CHAT preserves the execution environment of consumers partly by freezing 
and partly by copying. More specifically, CHAT freezes the heap and the local 
stack by modifying the H and EB fields of all choice points that lie between 
a consumer C and the nearest generator G, to C[H] and C[EB] respectively. 
Note that freezing in CHAT does not happen as in the SLG-WAM. We refer to 
CHAT’S way of freezing stacks as CHAT freeze. To preserve information from 
the remaining stacks, CHAT uses copying: from the choice point stack only the 
consumer choice point is saved; from the trail the entries that lie between the 
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consumer and the generator together with the values that these entries point 
to are saved. This copied information is saved in what is termed a CHAT area. 
Fig. 2(b) shows such an area and the resulting state of the stacks after modifying 
the fields of choice points; shaded parts show the information copied by CHAT. 

A rigorous argument why this freezing-copying scheme is correct can be found 
in [5]. For the purposes of this paper, we do not need to fully explain what hap- 
pens in case that G is not a leader of a scheduling component and execution 
backtracks over G. Full details can be found in [5], but essentially the same 
freezing mechanism is applied (now between G and the immediately older gen- 
erator) and an incremental copy of the trail is saved in a new CHAT area. It 
is important however to note that this new CHAT area is copied once and this 
incremental copy is shared by all consumers that have their state saved up to G. 

On the other hand, if upon failing back to G, G is a scheduling generator 
(e.g. a leader of a scheduling component), G needs to schedule all its consumers 
to consume answers firom the table after it finishes cill its program clause reso- 
lution. This implies resuming these consumers by restoring their execution en- 
vironments. In CHAT resumption is also done through copying: the consumer 
choice point is installed immediately below the choice point of the scheduling 
generator, and the saved part of the trail is copied from the CHAT area back to 
the trail stack. Fig. 2(c) gives a rough idea of a consumer’s reinstallation; shaded 
parts of the stacks show the copied information. 

3.3 The complexity issue 

The source of increase in complexity of CHAT w.r.t. SLG-WAM is two-fold: 

1. for each new consumer, G, CHAT traverses the choice point stack from the 
consumer up to the nearest generator G; if between C and G there are 
n Prolog choice points Pi . . . P„, these can be visited arbitraurily often; 

2. assume a generator G and a Prolog choice point P immediately younger, 
then if the computation starting at P creates consumers Gi . . .Cm, then in 
SLG-WAMGi . . . Cm share the part of the trail between P and G, but in 
CHAT, eaich consumer’s CHAT area contaiins a separate copy of that trail 
part. Again, the space and time difference can be cirbitrary. 

The example program from [5] (Fig. 3) shows both of these problems (the sub- 
scripts g and c denote occurrences of a generator or a consumer tabled subgoal). 
If the compiler recognizes that predicate meike_choices/2 (which is supposed to 
create choice points) is indeed deterministic, a more complicated predicate can 
be used. The reason for giving the second eirgument to make.consumers, is to 
ensure that on every creation of a consumer, H has a different value and an up- 
date of the H field of choice points between the new consumer and the generator 
is needed — otherwise, an obvious optimization of CHAT would be applicable. 
Against this program, in a query like: 

?- Choices = 100, Consumers = 200, main (Choices , Consumers) . 

CHAT uses {Choices* Consumers) times more space and time than SLG-WAM. 
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main (Choices .Consumers) 

P; (-) , make.choices (Choices , .) , make.consumers (Consumers , [] ) . 
meLke_choices(N, trail) N > 0, M is N - 1, make.choices (M,.) . 
m 2 die-choices (0 , .) . 
make.consumers (N.Acc) 

N > 0, M is N - 1, pc(-), make.consumers (H, [a I Acc]) . 
table p/1. 
p(l) . 

Fig. 3. A tabled program with different complexity under SLG-WAM 2 md plain CHAT. 

We will address these two sources of added complexity sepcirately and we start 
by dealing with the repeated traversal of the choice point stack as it introduces 
a technique that is also the basis for the more complicated trml sharing solution. 



4 Avoiding Repeated Traversal of Choice Points 

First note that visiting each choice point once does not affect the complexity. 
Indeed, this adds only a fixed cost to a choice point that was created alrezuiy. 
Next, note that we must cater for the Prolog cut ( ! /O) which can cut away non- 
tabled choice points. As a design principle of CHAT is that no changes to the 
underlying WAM or its instructions should happen for plain Prolog execution, 
changing the implementation of cut itself is not «in option (in many systems, cut 
is a constant time operation and does not traverse the choice point stack). Thus, 
we cannot put information in choice points that can disappear. Note however, 
that generators are used to produce all answers for consumers, so generator 
choice points are (and must be) immune to cuts. From this, it follows that a 
generator choice point is a safe place for storing information. Remember that 
CHAT adapts the H and EB fields of choice points. We will also make use of 
the ALT field of choice points, which indicates the next alternative. We will 
assume that one extra field in generator choice points is av 2 ulable: we call this 
field SALT and we use it for saving the value of an ALT field. However, Prolog 
choice points remain unchcinged. We propose the code below to be executed 
upon CHAT-freezing a consumer C whose (neeirest) generator is G. We also 
note that CHAT (as SLG-WAM) has constant time access to the choice point 
of G upon suspension of a consumer; e.g. via the completion stack. In words: 
for every choice point P between C and G, save its alternative in its EB-field, 
change its alternative to a chat.choice instruction, set its H-field to point to the 
generator choice point. Only the generator gets the values of EB and H which 
point at the current top of the local stack and the heap. The generator gets as 
Eilternative the new instruction chat.generator, which is a version of chat_choice 
for a generator. We will describe both new instructions later. 

Fig. 4 parallels Fig. 2(a) & 2(b) and shows the state of the stacks immediately 
before and after the above code is executed (the trail remains unaffected and so 
is not shown). Choice points are now shown in more detail; in particular, their 
EB, H and (S)ALT fields are shown explicitly (some possible values appear in 
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P : = C [prevB] ; 

while (P != G ftt P[ALT] != chat_choice) 
{ P[EB] := P[ALT]; 

P [ALT] : = chat-Choice ; 

P[H] := G: 

P : = P [prevB] ; 

} 



/* save ALT in the EB field */ 

/* set ALT to chat_choice */ 

/* link P to the generator */ 

/* continue with previous choice point */ 



G[H] := H; /* the H register also equals C[H] */ 

G[EB] := EB; /* the EB register also equals C[EB] */ 

if (G[ALT] != chat^enerator) 

{ GESALT] := G[ALT] ; /♦ save generator’s ALT field */ 

G[ALT] := chat^enerator ; /* install a new alternative */ 



} 




(a) Right upon consumer CP creation (b) After extended CHAT-freeze 

Fig. 4. Stacks while executing under an extended CHAT implementation. 

their alternative fields) as it is importeint to see what takes place. As in Fig. 2 , 
let us assume that there are two Prolog choice points Pi and P2 between a 
generator G and a consumer choice point C. P and all choice points above G are 
not alfected by the execution of the code. The stacks’ state shown in Fig. 4 (b) 
is the result of executing the code: the completion instruction is saved in the 
SALT field of the generator and chamged into chat-generator; retry and trust are 
saved in P2[EB] and Pi[EB] respectively and the corresponding ALT fields are 
changed into chat.choice. The values of EB emd H (or alternatively the values 
of C[EB] and C[H]) are installed in the corresponding fields of G and the Prolog 
choice points Pi and P2 are linked directly to G through their H field. 

Note that the above code also handles the case where more that one consumer 
is present and which lead in the original CHAT to repeated traversaJ of the 
whole chain of choice points between the consumer and the generator. Indeed, 
the test for chat-choice in the condition of the while loop ensures that when a 
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new consumer is frozen, a chain of choice points that was traversed before, is not 
traversed again; thus, for each backtrack operation to a particular choice point, 
CHAT visits it at most once more than SLG-WAM. It also shows that setting 
the H and EB fields of G, updates conceptually the EB and H fields of a set of 
choice points in a constant time operation. 

The above modification of CHAT is enough to get rid of the added complexity 
of changing the EB and H fields in the choice point stack as performed in the 
original CHAT. To complete this discussion, we consider the remaining four 
issues; the implementation of chat.choice and chat-generator, backtracking over 
a generator, and the actions to be taken in case of a change of leaders: 



1. Consider a choice point P which has a chat.choice instruction and consider 
backtracking to this choice point. For convenience, name a the value of the 
ALT field that was replaced by chat.choice. a points to a retry or trust in- 
struction (or one of their variants or cinother form of disjunction), chat.choice 
first installs the EB and H fields from the generator. Thereby P looses the 
link to the generator, but this link is indeed no longer needed. After that, 
chat.choice transfers control to a. The code for chat-choice is given below: 



alt := P[EB]; 

G := P[H]; 

P[EB] ;« G[EB]; 
P[H] G[H]; 



/* alt points to a now */ 

/* G points to the generator */ 

/* install top of protected lecol stack */ 
/* install top of protected heap */ 



goto alt; 



/* transfer control to a */ 



2. chat.generator is a version of chat-choice for generators: its implementation 
is similar to that shown above taking into account differences in the fields of 
choice points that are involved. Since in this case P = G, it might seem that 
there was no need to change the ALT field of the generator and in fact, as far 
as the management of H and EB fields is concerned, this is true. However, 
all choice points need to have (a variant of) a chat.choice instruction as we 
will also use this instruction for the purposes of sharing trail (cf. Section 5). 

3. On backtracking over G, one case is that G is a leader: then nothing spe- 
cial needs to be done (except releasing frozen space and the CHAT areas), 
and another that G is not a leader. In the latter, we consider G shortly 
as a new consumer (for which no CHAT area is needed) and execute the 
chat.choice code on the part of the choice point stack between G eind its 
nearest generator. 

4. A coup, i.e. a change of leaders, happens always by the creation of a con- 
sumer C which turns one (or more than one) leader G into a non-leader 
while some other older generator say Gl becomes the leader of the schedul- 
ing component that G belongs to. Since Gl is necessarily older than G, the 
generator nearest to C is always younger or equal to G, so backtracking over 
a generator as described above deals with this case already. In other words, a 
coup requires no special action in the context of the extended CHAT model. 
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5 Sharing More Trail 



Let us initially assume that each generator G has an associated flat set S{G) 
of consumers C which have G as nearest generator; S(G) will later get more 
structure. All consumers in S{G) have copied (in CHAT areas) part of the trciil 
and for each C one can find up to which trciil value C has the trail saved. 
On backtracking to a choice point P with alternative chat_choice, CHAT has 
the ch£mce to share the segment of the trail between the current top of trail 
TR and P[TR]: for the sake of explanation, let Q be the choice point that 
is immediately younger than P as in the picture below. Suppose Q once had 
a chat-choice instruction. This means that all consumers - 
in S{G) that needed it (in the picture Ci,C 2 , and C 3 ) 
have copied the trail below Q[TR] (shown as the three 
regions below Q[TR]). Backtracking to P means that 
execution is about to forget the trail between Q[TR] 
and P[TR], so this is the moment to save it. CHAT saves HTR]- 
it once and lets all the affected consumers share it using 
the same mechanism that is used for incremental copy- 
ing of the trail on backtracking over a non-leader gener- 
ator (see [5]). If Q never had a chat-choice instruction, it 
might appear that the situation is more difficult, but it 
is sufficient to note is that if Q never had a chat.choice 
instruction, there never was a consumer below Q. In that case, P must have lost 
any chat-Choice instruction before backtracking from Q to P happened. This 
means that up to P, the trail was already saved for all relevant consumers. 

Before presenting code that achieves this shming, we put some more struc- 
ture in the set 5(G). Suppose execution backtracks to a choice point P with a 
chat.choice instruction. For each consumer C, we denote by chat.tr{C) the trail 
pointer up to which C has the trail in its CHAT area. Then, for every chat.tr{C) 
there is (or was) a choice point B such that either: 




1. B is still on the stack and chat.tr{C) = B[TR] or 

2. B has been removed (by trust or by cut) and the trail between chat.tr{C) 
and P[TR] is still intact 



In the first case, B is older than P ox P = B and in both cases, no increment of 
trail must be copied for C. In the second case, if B is older than P, no increment 
must be copied for C. Otherwise, B is younger than P and the part of the trail 
between chat.tr{C) eind P[TR] needs to be incrementadly added to the CHAT 
area of C. Note also that the chat.tr{C) value for a particular C never increases 
in time, i.e. by copying more of the trail, chat.tr{C) moves higher in the stack 
and its value decreases. 

The set: T = {tr\tr = chat.tr{C) Atr > P[TR]} can be used to partition the 
set of consumers 5(G) into sets CT{tn) according to the trail value up to 
which these consumers have the trail saved in their CHAT area. More formally, 
CT{tTi) = {G|C G 5(G) Atxi eT A chat-tr{C) = tr*} for i = 1, . . . ,n for some 
n and such that txi > tr i+i . 
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For a new consumer C with the same nearest generator G, if n ^ 0 (5(G) 5^ 0) 
then chat.tr(C) > tr\ : equality is possible if no trailing occurred in the execution 
from the nearest choice point (whether generator or not) and G. This property 
is important: it ensures that new consumers can be added to 5(G) in constant 
time and that the set 5(G) can be managed with no added complexity. 

Trail sharing implementation With the definitions of CT(tri) as above, 
trn+i defined as P[TR], and GT(tr„+i) = 0, the code to achieve trail sheiring is: 
CT := CT(tn); 
for (i = 1; i < n; i++) 

{ construct (in a new CHAT area) the value trail between tri and tri+i ; 
link this new CHAT area to the CHAT area of each consumer in T; 

CT := CT U CT(tri+i); 

S(G) := S(G) \ CT(tn): 

} 

S(G) := S(G) U CT; /* all consumers in CT have same chat-tr{C) = P[TR]*/ 
This code is executed at the end of the chat_choice (and chat^enerator) instruc- 
tion, e.g. just before its goto alt statement (see Section 4). n is the number of 
sets CT{tri) in the partition of S{G). In an actual implementation, one would 
implement and maintain the sets CT{tri) as an ordered linked list. There would 
be no need for having n explicitly, so the use of n does not add extra complexity. 
The step that links the saved trail to the consumers in T has in CHAT a cost 
equivalent to the cost of the back-pointers in the forward trail of SLG-WAM. 

The tree structure of CHAT areas To further understand how the imple- 
mentation of trail sharing has the desired complexity, we make explicit the tree 
structure of CHAT areas 2ind how the trail is shcired. When a consumer is frozen, 
its initial CHAT area is created; it contains just the consumer choice point cmd 
a link to a linked list of CHAT trail chunks. One such chunk consists of: 

1. the value of the trail pointer up to which this chunk contains a reconstruction 
of the value trail 

2. the reconstructed value trail 

3. a link to the next chunk in the chain 

So, initially, the chain contains one cell, in which the trail pointer equals C[TR] 
(if C is the consumer choice point) and an empty value trail: indeed, nothing 
below C[TR] has been copied (and will never be). This initialization has been 
chosen for reasons of simplicity, not by necessity. When an incremented part 
is added to a cheiin, it is added at the end. Two descendants of one node in 
the tree necessarily have the same trail pointer value. The set 5(G) is actu- 
ally a forest of such CHAT area trees: there is a tree for each chat.tr{C) with 
C 6 5(G); see Fig. 5. One c£in see three consumers with their choice points 
Oi , G2, G3. In the trail chunks, we have indicated the TR value (the numbers 3, 
4, 5 and 8) 2uid the reconstructed trail segments: either by [] (for indicating an 
empty segment) or a number of dots equ2d to the number of trail entries. This 
number equ£ds the difference between the TR value of the (any) descendant aind 
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the TR value of the chunk itself. In Fig. 5, C\ auid C 2 share the peirt of the 
trail between 3 and 5. If backtracking now happens to a choice point with a 
chat-choice and with a TR value smaller than 3, say 1, then all three consumers 
will share the segment between 1 and 3. 

We czm now refine the structure of S{G): it is the hstr 
of roots in the forest of CHAT areas. This list is sorted 
in decreasing order of the values of their TR field. This 
ordering ensures that adding a new consumer to S{G) is 
a constant time operation, since the new consumer has 
a TR root field that is larger than any element of S{G). 

Also, the set operations in the code above become 0(1). 

Finally, we deal with the set S{G) on backtracking 
over O. If O is a leader, then all consumers that G 
was responsible for, have consumed all their answers: the 
CHAT area of these consumers can be released and the^ 
set S{G) as well. On backtracking over a non-leader G, weFig. 5. A CHAT forest, 
merge 5(G) with 5(G') where G' is the generator immediately younger than G: 
indeed, 5(G') need not be empty ! 




The case of consumer below consumer Finally, we explain the only sit- 
uation that is not described yet: suppose a consumer has been reinstalled and 
consumed an answer; execution continues and suppose a new consumer is en- 
countered like in the execution of following query ?- pj (Z) . and program: 
table p/1. 

p(Z) pc,(X). pcj(Y). Z is X + Y. Z < 3. 

p(l). 

Here, the second consumer has the same (nearest) generator as the first, but 
this is immatericil. As far as protecting the execution environment of (Y) 
through extended CHAT freeze is concerned, Ci can be temporeurily treated as a 
Prolog choice point amd the same code as in Section 4 can be used. Furthermore, 
the second consumer should shaure the part of the traiil that the first consumer 
has in its CHAT area, i.e. the traul between Ci[TR] amd G[TR]. This sharing 
is most naturally established on backtracking over the first consumer, i.e. on 
backtracking to the generator (note that there is never a choice point between a 
reinstalled consumer and its scheduling generator; cf. Fig. 2(c)). This is achieved 
by aidapting the code for the answer.return instruction (the instruction through 
which consumers resolve against answers) so that after consumption of the last 
answer, the CHAT traul of the consumer is linked to all CHAT areas needing it. 



6 Using the Trail Sharing on Reinstalling Consumers 

We have shown how CHAT can shaire traiil chunks between suspended consumers 
in the saune way as in SLG-WAM. This is nice, but not enough: CHAT needs to 
ailso be able to exploit this traul sharing when restoring environments. Indeed, 
SLG-WAM will undo and reinstall the minimal set of bindings needed for moving 
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from one node (the source) in the search tree to another (the target). However, 
note the following; Moving between two non-consumers is the normal Prolog 
backtracking and sharing between such execution nodes never exists. Similarly, 
moving from a consumer to a non-consumer is either usual backtracking after 
the consumer’s creation, or backtracking on completion of a scheduling generator 
and thus does not involve sharing of trail either. Thus, sharing is possible only 
when the target node is a consumer; still the source node can be a consumer 
or not. We will show that in both cases, the same use of trail sharing as in 
SLG-WAM can be achieved by CHAT without added complexity. 

6.1 Context switching from one consumer to another 

This is the situation in which a generator G schedules one consumer after an- 
other. To achieve trail sharing in CHAT, generators should be aware of the fact 
that they have previously scheduled some consumer. The mechanism for this is 
easy: on scheduling for the first time a consumer, CHAT can simply replace the 
completion instruction by a new instruction, say next-completion, which takes 
into account that scheduling has happened before. I.e. backtracking to this G 
possibly means that a context switch between consumers is about to take place. 
An alternative is to let a consumer, upon finishing consumption of the current set 
of available answers, set a flag that the completion instruction tests. Furthermore, 
each generator should know which consumer it has previously scheduled: again 
a global variable (set by the consumer) can be used, or the scheduling generator 
can keep it in one of its slots, or we can simply rely on the fact that in CHAT 
the consumer choice point is immediately below the generator and find out its 
identity from there. Let ai denote the first trail area of the consumer which was 
already scheduled, cind a 2 likewise for the next consumer to be scheduled. Then 
CHAT can use the shared trail — which takes the form of a tree, accessible from 
its leaves — in a way similar to how SLG-WAM finds the common part of the 
trail between two consumers. Detsuled code to achieve this is given in Fig. 6. 
In this code, we have assumed that we 
can go up in the tree of CHAT trail ar- 
eas with a function up (area) and that a 
function TR(orea) gives the trail pointer 
in that area. The test younger () reflects 
the order in which CHAT trail chunks 
are allocated; the implementation has to 
cater for it either using its own mem- 
ory allocator, or alternatively through 
timestamps. The code assumes there is 
a common ancestor and minor modifi- 
cations cater for the case in which there 
isn’t. The correctness of this code de- 
rives partly fi:om the observation that 
two consumers never sheire their lowest 
trail segment. 



tn ;= TR(ai); trz := TR(a2) ; 
start := a2; 
while (tri != tr2) 

{ if (younger (tri .tr2>) 

{ ai := up(ai) ; 

untrail from tn to TR(ai); 
tn := TR(ai) ; 

} 

else 

{ a2 := up(a2) ; 
tr2 := TR(a2) ; 

} 

} 

while (steurt != a2) 

{ reinstall-bindings-from(steu:t) ; 
start := up(start); 

} 



Fig. 6. CHAT code to context-switch. 
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In this way, the shared part of the 
trail is not de-inst£illed and re-installed 

as in the original CHAT. Given the correspondence between the tree structure 
of the trail in CHAT and in SLG-WAM (cf. also Section 7), and by comparing 
this code to that given for the restore.bindings procedure in [11], it should be 
clear that the same use of sharing of trail parts is achieved as in SLG-WAM. 

6.2 Context switching from a non-consumer to a consumer 

This action happens on backtracking for the first time to a generator that has no 
more clauses to execute, so execution goes to the completion instruction which 
will schedule some consumer that waits for answers. The execution of the query 
?- pg (X) . against the following piece of code shows such a situation. 

table p/1. q(l) . 

p(X) comp. q(T), r(T,X). q(2) . 

r(l,X) pc(Y), X is Y + 1. X =< 200. 

r(2,100) . 

Suppose that the goal comp stands for a computation that left something on 
the trail but has no more choice points. The goal Pc(Y) suspends. Then the goal 
q(T) backtracks to the second and last alternative and the generator gets its first 
answer (X = 100). Then backtracking occurs to the generator’s chat-generator 
instruction, which will cause the addition of the trail part of comp to be added 
to the CHAT area of pc(Y). Then, on failing back to the generator choice point, 
a consumer is scheduled: in this case, there is only one consumer and one could 
argue that it is clear that its installation does not need to undo and then reinstall 
the bindings represented by the trail of comp. In general however, there can be 
several consumers. If any of these just got an increment of trail (because the 
generator had a chat-generator) and is now scheduled, sharing is easy to get, 
on condition that the generator remembers which consumers’ CHAT trails were 
just added to. It is fairly obvious how to do this and one gets again the same 
use of sharing as in SLG-WAM. 

In general, it is of course possible that on backtracking to a generator, it has 
the completion instruction instead of a chat-generator. This means that no con- 
sumer will get the youngest trail increment, simply because the last alternative 
of the generator did not have any consumers. That means also that sharing is 
impossible both in CHAT and SLG-WAM. 

Finally, note that giving up on using the sharing of trail when switching 
from a non-consumer to a consumer, does not increase the complexity of overall 
execution, as this happens for each generator only once and the extra cost is 
proportional to a trail chunk that was constructed before. This applies equally 
to both SLG-WAM and CHAT. 

7 More about the Trail 

In [5] we have already argued how the trail is different from the local stack and 
the heap: For the local stack and the heap, it is enough (for correctness) to 
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maintain a safe approximation of their tops (any over estimation is safe). On 
the other hand, a WAM-based implementation must keep track exactly of which 
trail entries are between each two choice points. This is the deeper reason why 
the SLG-WAM uses back-pointers in its trail: the trail has a tree structure which 
mimics the tree structure of the choice points, but because choice points tend 
to disappear (by e.g. cut or trust) the trail has to maintain its tree structure 
independently. CHAT also uses back-pointers to link incremental CHAT trail 
areas: when each such trail area contains only one reference- value pair, the CHAT 
trail looks exactly like the backward-linked SLG-WAM trail. 

SLG-WAM trail without back-pointers This similarity between the incremental 
CHAT trail areas and the SLG-WAM trail raises the question whether it is also 
possible to implement a trail in SLG-WAM without cdl the back-pointers. This is 
indeed possible: Let trail chunk mean a part of the trail that was created between 
the execution of two try instructions. Let the first try instruction save TR on 
the trail stack Subsequent trailing will consist in pushing only a reference- 
value pair. On the execution of the next try instruction, push the length of the 
trail chunk. It is easy to see that this organization still permits finding common 
ancestors. 

Also worth noting is that the SLG-WAM is pessimistic in that the reference- 
value pair is always constructed, while CHAT postpones construction of a value 
trail chunk until the trail on the stack is about to be overwritten. It follows that 
trail chunks in CHAT tend to be larger and less back-pointers will be needed, 
because choice points can disappear before the trail chunk is constructed. 

The concept of “nearest common ancestor” We take this opportunity to dwell 
on the SLG-WAM mechanism for finding the “nearest common ancestor” . Even 
though intuitively, the nearest common ancestor is a choice point, one has to 
take into account that choice points (between a consumer and its generator) 
can die earlier than the consumer because of cut or the trust instruction. This 
means that the nearest common choice point is time-dependent. However, for the 
context switch from one consumer to another, one does not need the common 
choice point, but rather the point up to which in the trail one needs to untrail 
and from which to stcirt reinstalling bindings. Moreover, the trail reflects the tree 
of choice points as well, and is (barring tidy trail at cut) time-independent. This 
leads to the SLG-WAM mechanism for finding the nearest common ancestor, 
based on the trail and on the back-pointers in the trail entries. 

By using the choice points, a worse nearest common amcestor could be found 
in general: sub-optimal untrailing and reinstallation of bindings can result. More- 
over, even if choice points do not disappear, finding the common ancestor in 
SLG-WAM by following the (frozen) choice points can be arbitrarily worse than 
by following the backward-linked trail entries emd can affect the overall com- 
plexity. To show this, it is enough to construct an example in which there are 

Note that the top of the trail is (in SLG-WAM) in general not equal to TR 
® The reverse is not true because untrailing and reinstalling the bindings is obviously 

linear in the size of the traversed trail. 
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two execution paths leading from a generator to two consumers. Each path has 
one trail operation and a number N of choicepoints. It will follow that finding 
the common ancestor choice point of the consumers is 0{N) and while finding 
the common ancestor trail point is 0(1). 

8 Space Complexity of CHAT Compared to SLG-WAM 

So far, we have argued that CHAT is O(SLG-WAM) time-wise. We now compare 
the space complexity of CHAT and SLG-WAM. In principle, we should consider 
eeich of the four stzicks separately because each of them can exhibit different 
behavior. However, note that space requirements of local stack cind heap are 
identical for CHAT and SLG-WAM. They are both based on making these stacks 
non-recoverable on backtracking and this happens exactly at the same moment in 
execution for both CHAT and SLG-WAM. Space is retained in both systems until 
completion of the scheduling component. The fact that the freezing mechanisms 
of the two tabling implementation alternatives are different plays no role. 

The following analysis assumes that SLG-WAM does not compact the stacks 
and that CHAT does not take advantage from performing selective completion. 
The reason is that with selective (i.e. non-stack based) completion it is easy 
for CHAT to release CHAT trail areas in constant time, while SLG-WAM can 
achieve the same space reclamation only by means of trail stack compaction 
which has a higher cost. We also do not consider the effects of tidying the trail 
on cut for reasons of simplicity. 

Space Bounds for the Trail Stack As mentioned in Section 3.1, eeich trail entry 
of the SLG-WAM requires three cells. In CHAT a treul entry requires one cell 
while in the (WAM) stack and two cells when in a CHAT area. In the CHAT 
area, one additional cell per chunk is needed to “connect” a saved trail area to 
its next increment. The latter implies that the worst case for the CHAT trail 
area occurs when each trail chunk consists of exactly one trail entry; the CHAT 
trml area corresponds exactly to a forward trail entry in SLG-WAM. Since in 
CHAT a trail entry can at the same time also be in the active computation, the 
following equality holds in this worst case: 

trailsize (CHAT) = ^ <roifc»ze (SLG-WAM) 
o 

The best case for CHAT occurs when there are no tabled subgoals, because then 
CHAT uses only one third the space, i.e. 

fraffsize(CHAT) = ^ fratlstze (SLG-WAM) 
o 

In summary, we have that: 

1 ^ tra»l5»ze(CHAT) ^ 4 
3 - traifajze(SLG-WAM) " 3 
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Space Bound for the Choice Point Stack Concerning choice point space, CHAT 
can perform worse than SLG-WAM only because at some points of execution 
a consumer choice point can be both at the stcick and in the CHAT area. The 
only point at which this happens is when a consumer is resumed and as long 
as it remains resumed; indeed, as long as it is suspended, the consumer resides 
only in the CHAT area. Since Prolog choice points between the generator £md 
the consumer tend to favor CHAT (see exaunple below) the worst case cannot 
involve such Prolog choice points. Since each generator G can have at most one 
resumed consumer C at a time and since each resumed consumer C can only exist 
if there is a corresponding generator G, the worst case consists in a succession 
of (Gi,Ci) pairs where each Gi has scheduled Cj. It follows that the following 
inequality holds as a worst case for CHAT: 

choicepointsize (CHAT) ^ 3 
choicepointsize (SLG-WAM) ~ 2 

This flatters slightly SLG-WAM, as generator choice points tend to be larger 
than consumer choice points. 

On the other hand, CHAT wins from SLG-WAM arbitrarily when non-tabled 
choice points between the generator and consumer axe popped on reinstalling 
the consumer. This can be seen in the program of Fig. 7: lots of Prolog choice 
points get trapped under a consumer; in CHAT, they can be reclaimed, while 
in SLG-WAM they are frozen and retained till completion. When called with 

query (Choices, Consumers) PjC-), create (Choices, Consumers) , fail, 

create (Choices, Consumers) Consumers > 0, 

( make-choicepoints (Choices) , pc(Y), Y - 2 
; C is Consumers - 1, create (Choices, C) ). 

make.choicepoints (C) C > 0, Cl is C - 1, make.choicepoints(Cl) . 
make_choicepoints(0) . 

table p/1. 
p(l) . 

Fig. 7. Tabled program where CHAT has better spEice complexity than SLG-WAM. 

e.g. ?- query (29, 97) . the maximal choice point usage of SLG-WAM is one 
generator, 29 * 97 Prolog choice points plus 97 consumer choice points; while 
chat’s maximal choice point usage is the generator, one consumer, 29 Prolog 
choice points and 97 consumer choice points in the CHAT areas. 

9 Related Work 

At least in the area of logic programming, “theoretical” implementation papers 
are not very common. Even at the level of the abstract machine specification, 
establishing correspondences between different implementation models and re- 
lating their properties is quite hard. As a result, the best that theoreticians have 
thus far achieved is either re-construct a particular abstract machine [8], or ver- 
ify that the machine [1] or its compiler [10] execute according to the intended 
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semeintics of the language. On the other side, implementors are usually content 
with fully describing their abstract machines, arguing why a peirticulcir operation 
is performed faster in their model (usually at the expense of other operations), 
and/or comparing their implementation’s performance against other systems on 
a “standard” set of benchmarks (see e.g. [13] emd the references therein). To 
our knowledge, there is no result that a given abstract machine is optimal (i.e. 
uniformly better that the others): faithful comparisons between abstract ma- 
chine designs most often show trade-offs. Moreover, worst-case performance of 
abstract machines is often not mentioned, sometimes not even known by the au- 
thors to exist, or all too easily dismissed as unlikely to occur in practice. While 
this might be true for average uses of an abstract machine, we believe it is im- 
portant to know in advance how well the design scales and how the abstract 
machine’s performance evolves under extreme circumstances. 

There are of course notable exceptions that do prove complexity properties 
of abstract machines or of execution models. One nice such example is [7] which 
classifies various Or-parallel execution models based on primitive operations that 
need to be performed in this context (variable access, task creation and switch- 
ing) and shows a very strong, negative result: no implementation model (with 
finite number of processors) can perform all three operations in constant time. 
While the complexity result in [7] is about a class of execution models, our re- 
sult is more restricted, as it compares the characteristics of two specific abstract 
machines. This might account for our result being a positive one: namely that 
for the control of tabling, the same low cost of suspension/resumption can be 
obtained with environment sharing (as in SLG-WAM) or with a hybrid approach 
based on partial copying and partial sharing (as in CHAT). Consequently, the 
decision on which model to adopt can safely be based on other criteria, like e.g. 
performance overhead when tabling is not used or simplicity of implementation. 



10 Concluding Remarks 

We have shown how some adaptations of CHAT lead to an abstract machine 
for tabled evaluation that does not modify the WAM for non-tabled execution 
and still guarantees the same time and space complexity of tabled execution as 
SLG-WAM. Achieving this combination of strengths is by no means straight- 
forward; in fact, for many years, implementors believed this combination was 
impossible to obtain and the incorporation of tabling into a Prolog system has 
often been ruled out as too expensive. On the other hand, we have reasons to 
believe that the complexity result for the modified CHAT described in this pa- 
per might be more of theoretical than practical interest because it seems that 
usually the impact of repeated traversal and sub-optimal trail sharing is very 
low. Indeed, in practice original CHAT has better performance thcin SLG-WAM 
(even on programs dominated by tabled execution), and the worst cases for 
CHAT have not been observed in real applications. However, as noted, we think 
that it is essential to know that the original CHAT design is not “just a hacked 
WAM-based model for implementing tabling that happens to usually work well” 
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but that once faced with real programs that suffer from CHAT’s worst-case 
complexity, there exists a “cure” in the form of a relatively simple addition. 

Another important idea of independent and more practical interest in this 
paper is that of manipulating some Prolog choice points — in a way that is trans- 
parent to the underlying WAM — to (temporarily) assume a new functionality, 
which in this case partly overlaps with the functionality that the SLG-WAM re- 
served for generators. This technique leads naturally to new scheduling strategies 
of the “premature scheduling” kind, i.e. where scheduling is not only possible by 
(real) generators, but also by intermediate Prolog choice points that function like 
scheduling generators for some time. One of the added values of doing so, is that 
these scheduling strategies have even less context switching overhead (between 
execution environments of consumers) than strategies currently known. This is 
because scheduling decisions would then take place lower, or in any case more 
locally, in the execution tree. Another advantage is that scheduling of some con- 
sumers can naturally occur even before the associated generators finish program 
clause resolution. The performance benefits of doing so are yet to be explored. 
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Abstract. Proving failure of queries for definite logic programs can be 
done by constructing a finite model of the program in which the query is 
false. A general purpose model generator for first order logic Ccin be used 
for this. A recent paper presented at PLILP98 shows how the peculiarities 
of definite programs can be exploited to obtciin a better solution. There 
a procedure is described which combines abduction with tabulation and 
uses a meta-interpreter for heuristic control of the search. The current 
paper shows how simileir results can be obtained by direct execution 
under the standcird tabulation of the XSB-Prolog system. The loss of 
control is compensated for by better intelligent backtracking and more 
accurate fciilure analysis. 



1 Introduction 

In [2] methods are studied for proving that a query for a definite logic pro- 
gram fails. The general idea underlying all methods is the generation of a finite 
model of the definite program in which the query is f 2 ilse. However the approach 
developed in [2] is quite different from that used in general purpose model gen- 
erators for first order logic such as FINDER [10], SEM [12], and FMC. 4 t/nf [7]. 
Whereas the latter systems search for a model in the space of interpretations, 
the former searches in the smaller space of pre-interpretations and applies a top- 
down proof procedure using tabulation to verify whether the query is false in 
the least model of the Horn theory based on the candidate pre-interpretation. 
Experiments in [3], an extended version of [2], show that the abductive proce- 
dure of [2] extended with intelligent backtracking [1] outperforms FINDER and 
FMCat/nf on problems where there are a large number of different interpreta- 
tions for a given pre-interpretation. The difference is not only in the number of 
backtracks, but also, for some problems, in time, and this notwithstanding the 
former is implemented as a straightforward meta-interpreter in Prolog while the 
latter are sophisticated implementations in a more low level language. 

The current paper describes how the meta-interpreter can be replaced by 
a more direct implementation in XSB-Prolog [9, 4] which relies on the XSB 
system to perform the tabulation. This is not a straightforward task because 
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of the intelligent backtracking and because the meta-interpreter does not follow 
the standcird depth-first left-to-right search strategy but uses heuristics to direct 
the search towards early failures and selects the pre-interpretation on the fly, as 
components are needed by the proof procedure. To exploit the tabling system 
underlying XSB, one has to stick to the depth-first left-to-right execution order 
and one should not modify the program by creating new components of the 
pre-interpretation while evaluating a call to a tabled predicate. 

The random selection of an initial pre-interpretation, combined with the loss 
of control over the search results in a system which has to explore a substantially 
larger part of the search space than the original system. The paper introduces 
two innovations to compensate for this. Firstly, it uses a variant of intelligent 
backtracking which is much less dependent on the random initial order of the 
choice points. Secondly, it introduces a more accurate failure analysis, so that 
smaller conflict sets are obtained and that the intelligent backtrcicking selects its 
targets with more accuracy. 

The motivation for this research is in the world of planning. Planners are 
typically programs which search in an infinite space of candidate plans for a plan 
satisfying all requirements. The planner searches forever (until some resource is 
exhausted) when no candidate plan satisfies all requirements. Hence it is useful 
to have methods to show that the problem has no solution. It turns out that our 
approach outperforms first order model generators on planning problems. 

In the next section we recall some basic notions about semantic of definite 
logic programs. In Section 3 we describe our approach in more detail and then 
in Section 4 we show the results of testing our system on different problems. The 
comp^u•ison not only includes the model generator FINDER [10] as in [2], and 
FMCatijvf as in [3] but also SEM [12]. 

2 Preliminaries 

Now we will recall some basic definitions about semantics of definite programs. 
Most of them are taken from [6]. 

A pre-interpretation J of a program P consists of domain D = {di , . . . , 
and for each n-ary function symbol / in P a mapping fj from i?" to D. Follow- 
ing the literature on model generators, a term of the form f{d \,. . . ,d„) where 
di, ... ,dn & D is called a cell. Given a program P and domEiin size m, the set of 
all cells is fixed. A pair (c, v) where c is a cell and v & D is the mapping of that 
cell is called a component and v the value of the component. A set of components 
defines a pre-interpretation if there is exactly one component (c, v) for each cell. 

A variable assignment V wrt. expression E and pre-interpretation J consists 
of an assignment of an element in the domain D for each variable in E. A 
term assignment wrt. J and V is defined as follows: each variable is given its 
assignment according to V ; each constant is given its assignment according to 
J; if di, . . . ,d„ are the term assignments of ti, . . . ,t„ then the assignment of 
/(ti, . . . , t„) is the value of the cell /(di, . . . , d„). 

^ We will consider only dom 2 iins with finite size. 
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An interpretation I based on a pre-interpretation J consists of a mapping 
Pi from D" to {false, true} for every n-ary predicate p in P. An interpretation 
I is often defined as the set of atoms p(di,... ,d„) for which p(di,... ,d„) is 
mapped to true. An interpretation M is a model of a program P iff all clauses 
in P are true in M. For a definite program, the intersection of two models is 
also a model hence a definite program always has a unique least model. As a 
consequence, if a conjunction of atoms is false in some model then it is also false 
in the least model of a definite program. 

Throughout the paper we will use the following simple example about even 
and odd numbers to show the different concepts and program transformations. 

even (zero) . 
even(s(X)) odd(X) . 

odd(s(X)) even(X) . 

Consider a query ?- even(X) ,odd(X). For simplicity of the presentation we 
will add to the program the definite clause 

even_odd even (X) , odd (X) . 

and consider the query ?- even-odd. It cannot succeed as ?- even_odd is 
not a logical consequence of the program. The SLD proof procedure does not 
terminate. This is still the case when extended with tabulation as in XSB-Prolog. 

We choose a domain with two elements D = {0, 1} and consider the pre- 
interpretation J = {zeroj = 0,sj(0) = l,sj(l) = 0}. The least model of the 
definite program is {even(0),odd(l)} and the atom even_odd is feJse in this 
model. 



3 The Method 

Figure 1 shows the general architecture of the system. The input consists of a 
definite program P, a query ?-Q and domaun size m. First the program and 
the query are transformed to P* and ?-Q*. The transformation replaces all 
functional symbols with calls to predicates defining the components of the pre- 
interpretation and allows the program to collect the components which were 
used during the evaluation of the query. Also am initial pre-interpretation J is 
constructed for the given domain size m. Then the query ?-Q* is evaluated wrt. 
the prograim and the current pre-interpretation J. If the query succeeds then 
it also returns a set of components CS which axe necessaury for the success of the 
proof. Then, based on CS, the pre-interpretation is modified amd the query is run 
agaiin. If we have exhausted all possible pre-interpretations for the given domain 
size then we can eventuaJly increase it amd run the system again. If the query 
?-Q‘ fails then is false in the least model based on the pre-interpretation J 
amd we can conclude that the originad query ?-Q cannot succeed. 
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Fig. 1. System architecture 



3.1 Basic Transformation 



To evaluate the query in the least model based on a pre-interpretation 7, we use a 
variant of the abstract compilation approach to program smalysis used by Codish 
and Demoen in [5]. The pre-interpretation J of a n-aiy function / is represented 
by a set of facts pf{di,. . . ,dn,v); one fact for each cell /(di, . . . ,d„). In the 
source program, non variable terms are represented by their pre-interpretation. 
This is achieved by replacing a term f{ti , t„) by a fresh vmiable X and 
introducing a call p/(ti, . . . This transformation is repeated for the non 

variable terms in . ,tn until all functions are eliminated. Codish and Demoen 
evaluate the resulting CATALOG program bottom up, obtaining the least model 
which expresses declarative properties of the program. In [2], one also transforms 
the query and using a top-down procedure with tabulation checks whether it fails. 
Experience showed that one typically ends up with computing the whole model of 
the predicates reachable from the query. So the meta-interpreter used there tables 
only the most general call for ecich predicate. As we want direct execution under 
XSB, our transformation has to take care that a program predicate is only called 
with all vmiables free and different, so that XSB tables only the most general 
call. To achieve this, a predicate p/(. -.) which is added to compute a term t 
in a call is inserted after the C 2 ill and a predicate which is added to compute a 
term in the head is inserted at the end of the clause. Finally, when a call to a 
program predicate contains a variable X which adready occurs to the left of its 
position in the clause, then it is replaced by a fresh variable Y and an equality 
X = y is inserted after the call. The calls to the pre-interpretation are not 
tabled, and a call p/(p(. ..),...) is transformed in Pg{... ,X),p/{X, ...). This 
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gives less branching than when pg{. ..) is added after pf {. . For our example 
this gives the following code: 

even(X) p_zero(X). 
even(Y) odd(X) ,p_s(X,Y) . 
odd(Y) even(X),p_s(X,Y). 

even_odd even(X) ,odd(Xl) ,X1=X. 

p_zero(0) . 
p_s(0,l) . 
p_s(l,0). 

In [2], vcilues are assigned to the cells of the pre- interpretation in an abductive 
way, as needed by the heuristic search for a proof of the query. When a proof is 
found, standard backtracking occurs; the last assigned value is modified. To have 
direct execution under XSB, the pre-interpretation has to be fixed in advance. 
Obviously, it is not feasible to enumerate all possible pre-interpretations until one 
is found for which the query fadls. The search has to be guided by the proof found 
so far. Failure analysis and intelligent backtracking have to be incorporated to 
obtain a usable system. 

3.2 Failure Analysis 

Elementary Failure Analysis. As the goal is to find a pre-interpretation for 
which the query fails, failure occurs when the query succeeds. In the more gen- 
eral setting of first order model generation, failure occurs when some formula 
gets the wrong truth value. The FINDER and FMC^iT/AfF systems keep track 
of which cells are used in evaluating a formula and when the formula receives 
the wrong truth value, the set of cells used in evaluating it is used to direct the 
backtracking. In [3] the meta-interpreter is extended with such a fcdlure analysis 
and intelligent backtracking is used to guide the search. This substantially im- 
proved the performance of the system. Incorporating these features in the current 
approach which relies on direct execution with XSB of the trcinsformed query, 
requires special care. First let us formalize the notion of conflict set (refutation 
in first order model generators [7, 10]). 

Definition 1 (Conflict set). A conflict set CS of a definite program P and 
query Q is a finite set of components such that for any pre-interpretation J for 
which CS C J follows that Q is true in any model of P based on J. 

The idea is that any pre-interpretation J which has the same veilues for all 
components firom the conflict set CS can not be extended to am interpretation in 
which the query fails. Hence any candidate pre-interpretation must difier from 
CS in the value of at least one component. Exploiting conflict sets requires first 
to compute them. This can be done by adding to the program predicates an extra 
argument which is used to collect the components used for solving a call to this 
predicate. For example a call even(X) is replaced by even(X.CS) and the answer 
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even(O) becomes even(0, [p^ero(O)]). However there is a potential problem. 
Also even(0, [pj:ero(0) ,pjs(0,l) ,p_s(l,0)]) is an answer. Previously, the 
tabling system did not recognize it as a new answer and did not use it to solve 
calls to even/1. But as the value of the added second argument differs from 
that in the first answer, XSB will also use it to solve calls to even j 2 and it will 
obtain a third answer. Fortunately, if the list of used components is reduced to 
some canonical form, then the third answer will be identical to the second and 
the evaluation will terminate. However, this repetition of answers with different 
lists of components can substantially increase the cost of the query evaluation. 
Fortunately the XSB system has built-in predicates to inspect and modify the 
tables so we can control this behavior. The idea is to replace a clause 

p(X,CS) Body. 

with a clause 

p(X,CS) Body ,check_return(p(X,CS)) . 

When the body of the clause succeeds, XSB will process the answer p{X, CS) 
(add it to the table for the call to p/2 if it is new). Remember, that as the 
transformed program makes only most general calls there is only one table as- 
sociated with each predicate. Using the built-ins, the predicate check jreturn/\ 
looks up the previous answers in the table for p/2 and compares them with the 
candidate answer p{X,CS). If there is no other answer with the same X then 
check jreturn/\ and thus p/2 simply succeed. The interesting case is when the 
table already holds an answer p{X, CSoid) with a different conflict set CSoid (if 
CSoid = CS then XSB will recognize it is a duplicate answer). Then several 
strategies are possible for check-return/ 1: 

— The simplest approach is to let check jreturn/1 fail when the table already 
holds an answer with the same X. 

— An alternative approach is to check whether the new conflict set CS is 
“better” than CSoid- Then the old answer is removed from the table and 
check-return/ 1 succeeds. Otherwise check_return/l fails. 

— Finally, but more expensive for the overall query evaluation, one could al- 
low several answers, only rejecting/removing redundant ones (p{X,CS\) is 
redundant wrt. p{X,CS 2 ) if CSi D CS-i)- 

Advanced Failure Analysis. A conflict set can be called minimal if it has no 
subset which is a conflict set. Obviously it is not feasible to compute minimal 
conflict sets. However, simply collecting the components used in a proof can be a 
large overestimation. For example, in our planning problems, a three argument 
predicate is used: one argument is the initial state, one argument is the final state 
and one argument is the description of the derived plan. The pre- interpretation 
of the terms representing the plan is completely irrelevant for the failure of the 
query. However the components used to compute it will be part of the conflict 
set. 
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To see how to refine our failure analysis, let us reconsider how answers are ob- 
tained. Using a slightly different notation, the base case of the even /I predicate 
can be written as: 

even(X) X=0_J. 

This represents the basic answer, paxzuneterized by the pre-interpretation J. 
Now consider the definition of the odd/1 predicate: 

odd(X) even(Y),X=s_J(Y). 

An answer of odd/1 is obtained by performing resolution with the basic an- 
swer for euen/l, yielding: 

odd(X) :- Y=Xl,Xl=0_J,X=s_J(Y) . 

This can be generalized, answers for a predicate p/n are of the form: 

p(A^i , ... , A„) t X\ ~ t\j j , jXfif = tjij , Eqs 

with Eqs a set of equations involving Xi,... ,Xn and some local vmiables 
Ti , . . . , y„ . Under the elementary failure analysis the answer is p{ti j,. . . , ^ ) 
and the associated conflict set is the set of components used in computing 
hj, - ■ ■ , tnj and the terms of Eqs. 

The basis for the advanced failure analysis is the observation that the answer 
clauses can be simplified while preserving the solution they represent. Terms form 
equivalence classes under a pre-interpretations. Members of the equivalence class 
can be represented by the domain element which is their pre-interpretation and 
equalities between terms modulo equivalence class can be simplified using three 
of the four Martelli-Mont 2 mari simplification rules: 





,tnj) X = X,Eqs is equivadent to 


pihj,... 


,tnj) Eqs (remove) 


- P{hj , ■ • • 


, J ) +- t J = X, Eqs is equivalent to 


P{hj , • • ■ 


i^nj) <— X = tj,Eqs (switch) 


- P{hj , • . • 


,t„j) ^ X = tj, Eqs is equivadent to 


p{hj,... 


,tnj){X/tj} Eqs{X/tj} (substitute) 



Note that fjihj,... ,tnj) = pj (si j , • • • ,Smj), Eqs is not equivalent to false 
and that ,t„j) = ,s„j),Eqs is not equivalent to tij = 

Si J , • • . , tnj = s„j , Eqs, hence peel is not allowed. 

So 2 in zinswer cam be simplified to a form 

p{tij,... ,t„j) Eqs 

where Eqs contains equations between non vairiable terms and some of the Uj 
in the head cam be variables. The pre-interpretations in the terms of Eqs decide 
whether Eqs is interpreted as true or faJse, hence the components used in inter- 
preting the terms in Eqs form the read conflict set of the answer. However adso 
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the components used to interpret the terms Uj of the head aire important. When 
the answer is used to solve a call, they become part of new equations. Hence, with 
each variable we should associate a set holding the components used in evaluat- 
ing the term the variable is bound to and with each answer we should associate 
the “real” conflict set. Moreover, the execution of the equalities X = Y has to 
be monitored. When one of X or V is free then unification can be performed, 
otherwise if X and Y have the same interpretation then the sets of components 
associated with X and Y have to be added to the conflict set of the zmswer (as 
before the equality fEiils when X and Y have a different interpretation). Note 
that our transformation is such that calls have fresh variables as arguments, so 
the equality between an argument of a call and an Eirgument of an answer always 
involves a free variable and is correctly handled by standard unification. A final 
point is that the body of the compiled clause has to be carefully ordered: equal- 
ities on predicate calls involving a variable X should precede the interpretation 
of a term containing X, e.g. p{X),Y = fj{X) is a correct ordering: first the call 
p/1 binds X to a domain element and also returns the set of components CSx 
used in computing that domain element. Then Y is bound to a domain element 
and the set of components used in computing it is {/j(X)} U C5x. Taking the 
above into account, the code for our example is as follows: 

even(X,[]) comp(p_ 2 ero, [] ,X) , check_return(even(X, [])) . 
even(X,CS) odd (Y, CS) , comp (p_s, [Y] ,X) , check_return(even(X,CS)) . 

odd(X,CS) even ( Y, CS) , comp (p_s, [Y] ,X) , check_return(odd(X,CS)) . 

even_odd(CS) 

even(X.EvenCS) ,odd(Y,0ddCS) , 
merge(EvenCS,OddCS,CSl) ,unify(X,Y,CSl ,CS) , 
check_return(even_odd(CS)) . 

Calls to the pre-interpretation are made through an intermediate predicate 
comp/3 defined below. The call to combine.arg_cs/3 collects the conflict sets 
associated with the ground arguments of the function to be interpreted (none 
if the argument is a free variable) in ArgsCS and merge/3 extends ArgsCS with 
Comp, the consulted component of the pre-interpretation, to obtain the final 
conflict set ResCS. 

comp(F,Args,R-ResCS) 

combine_ 2 irg_cs (Args .RealArgs .ArgsCS) , 
append ( [F I RealArgs] , [R] , C) , Comp = . . C , 
call (Comp) , 

merge([Comp] .ArgsCS, ResCS) . 

combine_etrg_cs( n ,[],[])• 
combine_aurg_cs([A-[] I t] , [A|T 1] .RestCS) !, 
combine_arg_cs(T,Tl,RestCS) . 
combine_arg_cs([A-ACS|T] , [A|T1] .OutCS) 
combine_arg_cs(T,Tl,RestCS) , 
merge (ACS , RestCS , OutCS) . 
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The merge/3 predicate makes the union of two sets (represented as lists) 
and places the result in a canonical form and unify/4 is used to monitor the 
unification process and cein be defined by the following Prolog code; 

unify(X,Y,S,S) (var(X) ;var(Y)) , !, X=Y. 

unify(X-Sx,X-Sy ,Sin,Sout) merge (Sx , Sy , S) , merge (S, Sin, Sout) . 

The first two arguments are the terms to be unified, the third is the current 
conflict set of the clause and the last argument is the new conflict set of the 
clause. The first clause handles the case that one is a free variable; unification is 
performed and the conflict set of the clause remains the same. The second clause 
handles the case that both arguments X and Y are bound to the same domain 
element. The set of components used in evaluating the first argument (Sx) and 
in evaluating the second argument (Sy) are added to Sin yielding Sout. 



3.3 Intelligent Backtracking 

Under standard backtracking, candidate pre-interpretations are enumerated ac- 
cording to some fixed total ordering ci, C 2 , . . . , c„ of the cells. When some partial 
solution Cl = dl,C 2 = dl, ... ,Cm = is rejected then the value assignment 
for the last cell c„ is modified. If no other value is left, then Cm-i is modified 
(and all domain elements become again available for Cm)- The simplest use of 
conflict sets is based on the observation that no extension of the conflict set can 
be a solution, so the last element according to the total order over the cells of the 
conflict set is selected and the assignment to this cell is modified. However also 
secondary conflict sets can be derived [1]. Assume, due to different conflicts, all 
values for some cell Cn have been rejected. With {cj^i, . . . ,Cj,*,.,c„} the conflict 
set which led the rejection of dj we can formalize the knowledge in the conflict 
sets as; 



Ci,i — ^ 1,1 A ... A — dijjfcj A Cji — di ► false 



Om,i — dfji^i A ... A A Cji — djn ^ false. 

As we have that cell c„ must be assigned some domain element, we have c„ - 
di V . . . V c„ = dm. Applying hyper-resolution [8], one can infer 

Ci,i = di,i A ... A Cl,*, = di,*j A 

Cm,i — dffi.i A ... A Cm, km ~ dm, km ^ false 

which says that {ci,i, . . . ,ci,*,, . . . ,Cm,i, - - - is also a conflict set. 

At the implementation level, an ciccumulated conflict set is associated with 
each cell and initialized as empty. When a conflict {ci, . . . ,Cn-i,Cn) is derived 
with c„ its last cell, then {ci,... ,Cn-i} is added to the accumulated conflict 
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set of c„. Once all assignments to a cell are exhausted, its associated conflict set 
holds the secondary conflict which can be used to direct further backtracking. 
This is the approach taken in [3] where it worked quite well, as the initial order 
was carefully chosen. In the current implementation, where the initial order over 
the cells is random, the system had to do much more search before flnding a 
solution. Hence we adopted a variant of intelligent backtracking mentioned in 
[1] which leaves the cells unordered until they participate in a conflict. Under 
this approach, cells are split over two sets, a set with a total order (initially 
empty) and a set which is unordered. When a conflict is found, the cells from 
it which are in the unordered set (if any) are moved to the end of the ordered 
set. Then the last cell of the conflict set is chosen as target of the backtracking. 
Cells which are after the target in the total order return to the unordered set. 
This approach resulted in substantially better results. 

3.4 Dealing with Equational Problems 

There exists many problems which contain only one predicate, the equality pred- 
icate eqf2. They consist of a number of facts eq{ti ^ , for i = 1, . . . ,m and 

a number of denials 4- eq{sj^,Sj^) for j = 1 ,... ,n. To solve such problems, 
one has to add to the program the axioms for the equality theory for reflexivity, 
symmetry, transitivity and function substitution, the latter consists of an axiom 

/ (Xi , . . . , ) = / ( Ui , . . . , ) 4- = Fi A . . . A . 

for each functor f/n. The least model of the standard equality theory is the 
identity relation over the domain of the interpretation, hence the search space 
can be reduced by restricting the interpretation of eq/2 to the identity relation. 

In the abductive system of [3], this is achieved by initializing the interpre- 
tation of eq/2 as identity, and removing the standard equality theory (only the 
problem specific facts and denials remmn). Backtracking is initiated as soon as 
either one of the denials eq{sj ^ , Sj^) evaluates to true or one of the facts eg(t,-, , tjj) 
results in an answer which is not in the identity relation. 

With direct execution under XSB, a slightly different approach is required. 
Unification reduces to the identity relation, hence after compiling the terms, the 
call io eq! 2 can be done by unifying the compiled terms. However, the problem 
is that all facts and denials need to be activated. Therefore a new predicate p/0 
is introduced and defined as follows: 

pi- -<eq{ti^,ti,). i = 

eq{sj^,Sj^). j = l,...,n 

Proving failure of the query 4- p yields the desired pre-interpretation. Indeed p 
is equivalent to 

p4- \f 3->eq{ti^,ti^)W \f 3eg(sj,,SjJ. 
l<*<m 
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Hence p fzdls if the right-hand side is true, i.e. if 
/\ 'ieq(ti,, ) A /\ V -<eq{sj^ , sj ^ ) 

l<i<m 

is true. eq{U^,ti^) is equivalent with the fact ,fjj) and V-ie 9 (sj, ,Sjj) is 
equivalent to the denial eq{sj^ ,sj^). Thus p fails if the conjunction of the orig- 
inal facts and denials is true under the chosen pre-interpretation. Compilation 
of terms is as described in Section 3.1, i.e. a call eq{sj^ , sj^) is replaced by a call 
Xjj = Xj^ preceded by the code computing the pre-interpretation of Sj, and sj, . 
A call -<eq(ti^,ti^) is handled in a similar way; the built-in \= (not unifiable) 
can be used instead of not equal. However, special care is required to ensure the 
arguments are ground in case or is a variable. Whereas the compilation 
leaves such variables intact, here it has to be mapped (the mapping introduces 
a backtrack point) to a domain element. 

Similarly as in Section 3.2, conflict sets can be associated with terms for the 
task of advanced failure analysis. Hence a call -'eq(tj, ,tjj) is transformed in the 
sequence interpret{ti^ , Xj, ), interpret(ti^,Xi,),di8unify{Xiy , Xi, , Sin, Sout) where 
interpret f2 is an abbreviation for the sequence of calls computing the pre- 
interpretation of the term and the associated conflict set Md disunifyl\ is 
defined as 

disunify(X-Sx,Y-Sy, Sin, Sout) 

X\=Y,merge(Sx,Sy ,S) , merge (S, Sin, Sout) . 

4 Experiments 

4.1 The Problems 

We tested our system with a large number of different problems. Below we give 
a short description for each one of them and for some of them the source code 
is given in Appendix A. 

List Manipulation. The appendlast problem uses the standard definition of 
the predicates append and last amd the following query; 

appendlast append (X, [a], Xs),last(Xs, b) . 

The reverselast problem is similar to the appendlast problem but uses the 
version of the predicate reverse with accumulator: 

reverselast:- reverse (L, R, [a]), last(R, b) . 

The nreverselast problem uses the “naive” definition of reverse: 

nreverselast :- reverse ( [a I X] , R), last(R, b) . 
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Multisets. The multiset?o are programs to check the equivalence of two mul- 
tisets using a binary operator “o” to represent them, multisets© is a problem 
which has a solution, thus failure cannot be proven for it. 



Planning in the Blocks- World. These are simple problems for planning in 
the blocks-world. The theory for the blockpair problems has, besides the usual 
actions of the blocks-world, an action to add or remove a p^ of blocks. In the 
blockzero problems, the extra action is to create a new block named s(X) on 
top of a clear block X. 

The queries ending in “o” use multisets based on the function o/2 and those 
ending in “1” use a standard list representation. Those problems which have the 
number 2 in their name do not collect the plan and those having 3 store the plan 
in the second argument. blockzero21s^ is a problem which has a solution. 



TPTP-Problems. The rest of the examples are taken from the TPTP problem 
library [11]. In Table 1 in brackets are given the TPTP names for each one of 
them. All these problems are equational problems and are transformed in the 
way described in Section 3.4. 

The tba problem is to prove an independence of one axiom for ternary boolean 
algebra. 

The grp problem is to prove that some axiom is not a single axiom for group 
theory. 

The cl3 problem is from the domain of combinatory logic and the goal is to find 
a set of combinators which satisfy axioms S and W and do not satisfy the weak 
fixed point property. 

Table 1 gives some details about the properties of the problems. The column 
#pred shows the number of predicates. The column size dom gives the domain 
size for which the query has been evaluated (which is, for the failing queries, 
the minimum dommn size for which a model proving failure exists). The column 
size pre gives the number of cells in the pre-interpretation and the next column 
#pre gives the number of all possible pre-interpretations for the given domain 
size. The column size int gives the number of atoms to be assigned a truth value 
in 2 in interpretation emd the last column #int/pre gives the number of different 
interpretations for a fixed pre-interpretation. For the TPTP problems this value 
is 1 because they have only one predicate for which the interpretation is known 
to be identity. 

4.2 Results 

The results with FMCat/atf were taken from [7] or were sent to us by its author 
which was using a SUN 4 ELC machine. All other systems were run on SUN 
Sparc Ultra-2 computer. The system AB is the abductive system described in 



^ corresponds to blocksol in [2] and [3] 
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Table 1. Example properties 



Exaunple 


#pred 


size dom 


size pre 


#pre 


size int 


#int/pre 


appendlEist 


2 


3 


12 




13 




reverselast 


2 


3 


12 


312 


13 


213 


nreverselast 


3 


5 


28 


5^« 


150 


2150 


multisetlo 


1 


2 


7 


2 ' 


4 


2^ 


multiset2o 


1 


2 


7 


2 ’ 


4 


2 * 


multiset3o 


1 


2 


7 


2^ 


4 


2 * 


blockpaur2o 


3 


2 


19 




12 


2 I 2 


blockpaur3o 


3 


2 


36 


236 


20 


220 


blockpaur21 


5 


2 


19 


219 


32 


232 


blockpair31 


5 


2 


36 


236 


40 


240 


blockzero2o 


3 


2 


19 


219 


12 


212 


blockzero3o 


3 


2 


35 


235 


20 


220 


blockzero21 


5 


2 


19 


219 


32 


232 


blockzero31 


5 


2 


35 


235 


40 


240 


blockzero21s 


5 


2 


19 


219 


32 


232 


tba (BOO019-1) 


1 


3 


32 




9 


1 


grp (GRP081-1) 


1 


2 


17 


2'^ 


4 


1 


cl3 (COL005-1) 


1 


3 


12 


3‘* 


9 


1 



[3], however, running under (the slower) XSB-Prolog instead of Master Prolog 
for equ£il compEirison. We used FINDER [10] version 3.0.2 and SEM [12] version 
1.7 which are well known model generators implemented in C. 

The system naive results from the direct trzmslation of the system AB to XSB: 
it uses the same failure analysis, it starts from a random total order over the 
cells of the pre-interpretation and it uses the simplest variamt of check-return 
which sticks to the first answer whatever the associated conflict set is. For the 
TPTP problems the standard equality axioms were used. 

The systems single CS and best CS use a more sophisticated version of 
check-return which prefers the answer with the shorter conflict set, advanced 
failure analysis and the more sophisticated version of intelligent backtracking 
which leaves elements unordered until they participate in a conflict set. The 
system single CS uses the first answer to the top level query to direct the back- 
tracking. The system best CS computes all amswers to the top level query and 
then selects from them the conflict set which will add the fewest number of cells 
to the ordered sequence. Both systems use the technique described in Section 3.4 
on the TPTP problems. 

Table 2 gives the times obtained by the different systems. The time is in 
seconds unless followed by H, then it is in hours. A means the example was 
not run. A “> n” means the system had still no solution after time n. 

Table 3 shows the number of generated and tested pre-interpretations (num- 
ber of backtracks). For the SEM system, we have modified the source code to 
report exactly this number. For the FINDER system we report the sum of the 
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Table 2. Execution times 



Example 


naive 


single CS 


best CS 


AB 


FINDER 


SEM 


FMCatinf 


appendlast 


919 


0.76 


1.63 


1.42 


0.07 


0.01 


45.21 


reverse! ast 


918 


0.85 


1.85 


1.00 


0.10 


0.01 


10.79 


nreverseleist 


>2706 


>1673 


178 


17.5H 


> 1446 


957 


>900 


multisetol 


0.18 


0.06 


0.12 


0.08 


0.02 


0.01 


- 


multiseto2 


0.07 


0.20 


0.47 


0.10 


0.02 


0.01 


0.02 


multiseto3 


0.94 


0.54 


2.77 


0.28 


0.03 


0.01 


- 


blockpair2o 


451 


0.86 


3.14 


5.05 


0.07 


0.05 


7.31 


blockpairSo 


>58 


0.94 


3.90 


21.97 


0.18 


0.23 


>900 


blockpair21 


5303 


1.86 


7.85 


3.56 


0.04 


0.05 


204.9 


blockpair31 


>222 


2.05 


9.70 


53.88 


0.12 


0.18 


>900 


blockzero2o 


7.93 


7.94 


4.35 


2.84 


0.11 


0.09 


- 


blockzero3o 


162 


8.86 


5.41 


24.48 


0.22 


1.98 


- 


blockzero21 


18.49 


2.00 


20.71 


5.67 


0.23 


0.10 


- 


blockzeroSl 


40.35 


2.06 


24.76 


37.23 


0.33 


2.39 


- 


blockzero21s 


11. 8H 


648 


2631 


593 


2287 


5.05 


>900 


tba 


>950 


1331 


3.65 


3.29 


0.03 


0.03 


0.06 


grp 


1189 


1.05 


5.89 


13.94 


0.03 


0.01 


- 


cl3 


0.13 


3.85 


1.63 


1.03 


0.02 


0.03 


0.04 



number of bad candidates tested and other backtracks. Also in this table 
means not run, “> n” means already n backtrzicks when interrupted. For the 
system best CS we give an additional column total which shows the total number 
of conflict sets obtained as “answers” to the query (divided by the number of 
backtracks, this gives the average number of conflict sets obtained when running 
the query). 



4.3 Discussion 

Comparing the systems naive and AB, we see that the straightforward transfer 
of AB to XSB results in a much worse behavior. Hence the heuristics used by 
AB to control the search have a big impact. 

The effect of the advanced failure analysis is not reported separately. Its 
impact is only visible in the block*3? problems which compute, for the failure 
analysis, an irrelevant output argument. The zwivamced failure anzJysis makes 
these problems behave as well as the corresponding block*2? problems. Note 
that the AB system as well as all first order model generators behave much worse 
on the 3-axgument problems than on the corresponding 2-argument problems. 
As computing some output is a natural feature of a logic progrzun, the advanced 
failure analysis is an important asset of our system. 

Adding more sophisticated backtracking which does not fix the order of 
the cells in advance yields a substantial improvement on most problems. The 
system single CS which sticks everywhere to the first conflict set is often the 
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Table 3. Number of backtracks 



Example 


naive 


single CS 


best CS 


AB 


FINDER 


sEi;r 


FMC/tT/JVF 




#bckt 


#bckt 


#bckt 


totad 


#bckt 


#bckt 


#bckt 


#bckt 


appendlast 


Kill^ 






136 


43 




27 


110019 


reverselast 


KnifK 






133 




211 


27 


23445 


nreverselast 


>10000 




221 


2426 








>? 


multisetlo 




HH 


H 


11 


4 


4 




- 


multiset2o 


Hi 




R 


38 


10 


31 






multisetSo 






76 


122 


33 


75 


86 


- 


blockpaur2o 


9323 




^lE \ 


55 


17 


273 






blockpairSo 








55 


56 


879 






blockpair21 


32873 




i 


117 


33 




918 




blockpaurSl 




76 




117 




359 






blockzero2o 


577 




48 


148 


158 




3495 




blockzero3o 


1245 




48 


148 


500 


897 






blockzero21 


1145 


190 


■ i> 


1044 


98 


1131 


3415 




blockzero31 


2289 


190 


H j 


1044 






63288 




blockzero21s 


128926 


21544 


mi; 


31969 


3615 


3999226 






tba 






41 


91 




23 


5 


33 


grp 


19996 


71 


138 


210 




24 


14 




cl3 


5 




93 


191 


Ha 


30 


3 


- 



fastest, although it often needs more backtracks than best CS. It fails only on 
nreverselast which uses a 5 element domain emd has a very large seairch space. 
However, on the equality problems it becomes obvious that a good choice of 
a conflict set is essential for solving such problems. In number of bEicktracks, 
best CS compares quite well with AB. Only on blockzero21s it needs a lot more 
backtracks, while it needs a lot less on nreverselast. Perhaps on blockzero21s, 
which has no solution, it suffers from the less optimeil ordering because the search 
space has to be searched exhaustively. 

FVom the model generators FINDER and SEM perform reasonably well in 
terms of time and also in number of backtracks. However, the results for FINDER 
were obtadned only after a fine tuning of the different parameters amd the repre- 
sentation of the problems (see [3]). The system also uses intelligent backtracking 
for deriving secondly conflict sets and some other forms of failmre analysis. It 
has a smaller number of backtracks on the more complex plamning problems 
than SEM. The system SEM is the fastest in raw speed and is not so sensible to 
the problem representation. Of the model generators, the system FMCat/nf is 
the weakest on the class of problems we consider. This result contrasts with the 
results in [7] where it is the best on sever 2 il problems. 

Compared with our system the model generators have to backtrack much 
more on the planning problems and the other logic programs where they have to 
explore the full space of interpretations while we look only for the least model 
of the progrjun for a given pre-interpretation (the extra cost of evaluating the 
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query in the least model is more than compensated for by the exponentially 
smaller search space). On the TPTP problems our system is doing worse which 
suggests that there is further room for making better use of the information in 
conflict sets. 



5 Conclusion 

In this paper we presented a method for proving failure of queries for definite 
logic programs based on direct execution of the abstracted program in XSB- 
Prolog, a standard top-down proof procedure with tabulation. 

By using a better form of intelligent backtracking (proposed in [1]) which 
does not fix the enumeration order in advance and an improved failure analysis, 
we were able to compensate for the loss of flexibility which results from the direct 
execution of the abstracted program. 

This way of intelligent backtracking could also be interesting for other sys- 
tems, e.g. FMC^t/atf of which Peltier reports that it is quite sensitive to the 
initial enumeration order. 

While difference in speed with the AB system au-e modest, the approach is 
still very interesting as the depth-first left-to-right execution results in a much 
better memory management so that larger problems can be tackled. The meta- 
interpreter of the AB system keeps track of the whole top-down proof tree in 
evaluating the query, which leads to very large memory consumption. 

Interesting future work is to further investigate some control issues. One 
could explore whether there is a good compromise between computing only one 
solution to the query and computing all solutions. One could try to further 
improve the backtracking by developing some heuristics which order a group of 
new elements when they are inserted in the ordered sequence. 

Acknowledgements 

We want to thank Kostis Sagonas for his help with the XSB system. Maurice 
Bruynooghe is supported by FWO-Vlaanderen. Nikolay Pelov is supported by 
the GOA project LP-I-. 

A Code for Some of the Problems 

A.l Multiset 

multisetlo sameHultiSetCa, X), sameMultiSetCX, b) . 

multi8et2o 8ameMultiSet(o(a,o(a,emptyMultiSot)) ,o(X,o(emptyMultiSet,b))) . 
multiaetSo 8ameMultlSet(o(a,o(a,o(emptyHultiSet,b))) , 
o(o(a,b) ,o(a,emptyMultiSet))) . 



sameHultiSetfX, X) . 
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sameMultiSet(o(X, Y) , o(X, Z)):- sameMultiSet(Y, Z) . 
sameMultiSet(o(o(X, Y) , Z) , U):- sameMultiSet(o(X, o(Y, Z)), U) . 
sameMultiSet(U, o(o(X, Y) , Z)):- sameMultiSet(U, o(X, o(Y, Z))). 
sameMultiSet(o(emptyMultiSet, X), Y);- sameMultiSet(X, Y) . 
seuneMultiSet (X, o(emptyMultiSet, Y)) :-sameMultiSet(X, Y) . 
sameMultiSet(o(X, Y) , Z) sameHultiSet(o(Y, X), Z) . 

A. 2 Planning Problems 

Blocks are identified by integers represented as terms with the constcint 0 and 
the function s/1. The actionZero/3 predicate gives the possible actions 2 ind the 
causesZero/Z predicate tries to find a plan. In both predicates the first argument 
is the initial state, the last argument is the final state and the plan is collected 
in the second argument. 

blockzero3o : - 

causesZero(o(o(on(s(s(0)) , s(0)), cl(s(s(0)))) , em) , Plan, 
o(on(s(0) , 0) , Z)) . 

causesZerodl, void, 12):- 
sameMultiSetCll, 12). 
causesZeroCl, plan(A, P) , G):- 
actionZero(C, A, E) , 
sameMultiSet(o(C, Z) , I), 
causesZero(o(E, Z) , P, G) . 

actionZero(holds(V) , put_down(V), 

o (table (V), o (clear (V), nul))). 
actionZero(o(clear(V) , o(table(V), nul)), pick_up(V) , 
holds (V)) . 

actionZero(o(holds(V) , clear(W)), stack(V, W) , 
o(on(V,W), o(clear(V), nul))). 
actionZero(o(clear(V) , o(on(V, W) , nul)), unstack(V), 
o (holds (V) , clear (W) ) ) . 

actionZero(o(on(X, Y) , o(clear(X), nul)), generate_block, 

o(on(s(X), X), o(on(X, Y) , o(clear(s(X)) , nul)))). 
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Abstract. In this work, we develop a partial evaluation technique for 
residuating functional logic programs, which generalize the concurrent 
computation models for logic programs with delays to functional logic 
programs. We show how to lift the nondeterministic choices from run 
time to specialization time. We ascertain the conditions under which the 
original and the transformed program have the same answer expressions 
for the considered class of queries as well as the same floundering behav- 
ior. All these results are relevant for program optimization in Curry, a 
functional logic language which is intended to become a standard in this 
area. Preliminary empirical evaluation of the specicdized Curry programs 
demonstrates that our technique also works well in practice and leads to 
substantial performance improvements. To our knowledge, this work is 
the first attempt to formally define and prove correct a general scheme 
for the partial evaluation of functional logic progretms with delays. 



1 Introduction 

The last few years have witnessed a maturity in the area of multipareidigm declar- 
ative languages in order to combine the most importamt features of functional 
programming (nested expressions, efficient dem8md-driven functional computa- 
tions), logic programming (logical variables, partial data structures, constraints, 
built-in search), and concurrent programming (concurrent computations with 
synchronization on logical variables). The computation model of such integrated 
languages is based on a seamless combination of two different operational prin- 
ciples: narrowing and residuation. 

The residuation principle is based on the idea of delaying function calls until 
they are ready for deterministic evjiluation. Residuation preserves the deter- 
ministic nature of functions and naturally supports concurrent computations. 
Unfortunately, it is unable to compute solutions if eirguments of functions are 
not sufficiently instantiated during the computation, though program analysis 

* This work hcis been partially supported by CICYT TIC 98-0445-C03-01, by Accion 
Integrada hispano-alemana HA1997-0073, and by the German Research Council 
(DFG) under grant Ha 2457/1-1. 
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methods exist which provide sufficient criteria for the completeness of residua^ 
tion [11, 19]. Residuating functional logic languages employ dynamic scheduling 
similarly to modern (constraint) logic programming languages, where some calls 
are dynamically delayed until their arguments are sufficiently instantiated to 
allow the call to run eflSciently. Residuation is the basis for implementing mcmy 
concurrent (constraint) programming languages such as Oz [32] and is also used 
in other multiparadigm declarative languages such as Escher [25, 26], Le Fun [2], 
Life [1], and NUE-Prolog [31]. 

On the other hand, the narrowing mechanism allows the instantiation of 
variables in expressions and then applies reduction steps to the function C 2 dls of 
the instantiated expression. This instantiation is usuaJly computed by unifying 
a subterm of the expression with the left-hamd side of some program rule. Nar- 
rowing provides completeness in the sense of logic programming — computation 
of all solutions — as well as functional programming — computation of values — 
(see [18] for a survey). To avoid unnecessary computations eind to deal with infi- 
nite data structures, demand-driven generation of the search space has recently 
been advocated by a flurry of outside-in, lazy narrowing strategies (see, e.g., [10, 
16,28,29]). Due to its optimality properties w.r.t. the length of derivations 2 «id 
the number of computed solutions, needed narrowing [10] is currently the best 
lazy narrowing strategy for functional logic programs. 

Curry is a modern multiparadigm declarative language which combines func- 
tional, logic and concurrent programming styles by unifying (needed) narrowing 
and residuation into a single model [20,21]. To support coroutining, the model 
provides for suspension of function calls if a demanded argument is not suf- 
ficiently instantiated. Similarly to recent residuation-based languages like Es- 
cher [25] or Oz [32], Curry represents (don’t know) non-deterministic choices 
by explicit disjunctions, in contrast to narrowing which is usually defined with 
implicit disjunctions as in classiccd logic programming. The precise mechanism 
(narrowing or residuation) for each function is specified by evaluation anno- 
tations, which are similar to coroutining declarations in Prolog [30], where the 
programmer specifies conditions under which a call is ready for a resolution step. 
Deterministic functions are declaured rigid (which forces delayed evzduation by 
rewriting), while non-deterministic functions are declared flex (which enables 
njurrowing steps). By default, only predicates (i.e., Booleem functions) are con- 
sidered flexible, while all other functions are rigid, but the user can easily provide 
different evaluation annotations. The computation domain considers disjimctions 
of {answer | expression) pairs in order to reflect not only the computed values 
but also the different variable bindings. The following example illustrates the 
integrated model (the computation steps are denoted by — > as in [20]). 

Example 1. Consider the following rules defining the less-or-equal fimction 
£md the addition “-f” on natural numbers (built from 0 ^md s); 

0 ^ N — > true 0 -I- X X 

s(M) ^0 -> false s(X) -I- Y s(X -H Y) 

s(M) ^ s(N) -4 M ^ N 
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where is rigid and “+” is flexible. Then, the following goal is evaluated by 
freezing and awakening the function call to (the subterm evaluated in the 
next step is underlined);^ 

s(Z)} I s(Z) ^ Y & s(Z + 0) = 0 
s(Z)} 1 s(Z) ^ Y & s(Z + 0) = 0 



Note that the second disjunction fails since s(Z + 0) = 0 is unsolvable. 

Partial evaluation (PE) has been established as an important research topic 
in both the functional [12,22] and logic programming [15,27] communities. Al- 
though the objectives are similar (typically, the specialization of a given progrEun 
w.r.t. part of its input data), the general methods axe often different due to the 
distinct underlying models and the different perspectives (see [6] for a detailed 
comparison). This separation has the negative consequence of duplicated work 
since developments are not shared and many similarities are overlooked. 

Narrowing-driven PE [6] is the first generic aJgorithm for the specialization of 
functional logic programs. This framework provides the same potentied for spe- 
cialization as powerful (on-line) PE methods for logic programs (e.g., conjunctive 
partial deduction [24]) as well as functional programs (e.g., positive supercompi- 
lation [17]). The work in [7] formalizes an instance of the narrowing-driven PE 
method for inductively sequential programs based on needed narrowing. It lifts to 
the PE level the idea of only evciluating code when it is necessEiry. An attractive 
property of this instance is that it preserves the (inductively sequential) struc- 
ture of the original program, and hence the same execution mechanism (namely, 
needed narrowing) can be safely used after the speciailization. This property does 
not generally hold for other instances of the PE framework (see [7]). 

The aim of this paper is to develop a partial evaluator for (kernel) Curry 
programs. Unfortunately, the approach of [7] is not powerful enough, since it 
follows the framework of [6] which does not consider the residuation principle. 
Hence, we generalize the original framework in order to deal with (inductively 
sequential) programs containing evaluation annotations for program functions. 
This task is difficult for severail reasons. Firstly, a naive adaptation of [7] in 
which floundering computations axe simply stopped during PE is not adequate, 
since a poor specialization would be obtmned in most cases and could even be 
unsafe in our setting (see Example 3). Thus, we introduce an extension of the 
standard computation model which allows us to ignore evaluation annotations 
during PE while still guaranteeing correctness. As a consequence, our method is 
less restrictive than many existing methods for (constraint) logic programs with 

* Here it is the concurrent conjunction operator, i.e., the expression ei it ej is reduced 
by reducing either ei or ej, and = is the strict equality predicate. 



id I X Y it X-bO = 0 

{X = 0} I 0 ^ Y it 0 = 0 V {X = 
{X = 0} 1 true it 0 = 0 V {X = 
{X = 0} I true it 0 = 0 
{X = 0} I true it true 
{X = 0} I true . 
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delays, in which suspended expressions cannot be unfolded (e.g., [14]). Secondly, 
the inference of safe evaluation annotations for the partially evaluated programs 
is far from trivial (see Example 4). In particular, we are forced to split resultants 
into several auxiliary (intermediate) functions in some cases to correctly preserve 
the answer expressions as well as the floundering behaviour. 

The main contributions of this work can be summarized as follows. We pro- 
vide (total) correctness results for the transformation, including the equivalence 
between the originail and specialized programs w.r.t. floundering-freeness. This 
can be used for proving completeness of residuation for the considered class of 
goals in the original program by analyzing the floundering behavior of the re- 
sulting program. In particular, proving floundering-freeness for the specialized 
program is in many cases trivial (or easier than in the original program) because 
partial evaluation can transform a rigid function into a flexible one (whenever 
the specialized call is already sufficiently instantiated), but not vice versa. More- 
over, we also prove that the transformation preserves the (inductively sequential) 
structure of programs. 

The structure of the paper is as follows. After some basic definitions in Sect. 2, 
in Sect. 3 we recall the formal definition of needed narrowing and residuation. 
A PE scheme for residuating functional logic programs is formalized in Sect. 4, 
together with a method to properly synthesize evaluation annotations for spe- 
cialized functions. We also provide results about the structure of specialized 
programs and the total correctness of the tr 2 insformation. Section 5 shows the 
practical importance of our specialization techniques by means of some examples 
and Sect. 6 concludes. More details and proofs of technical results can be found 
in [4j. 

2 Preliminaries 

We assume famili£irity with basic notions of term rewriting [13] and functional 
logic programming [18]. We consider a {many- sorted) signature S partitioned 
into a set C of constructors and a set !F of (defined) functions or operations. We 
write c/n € C and f/n € T for n-ary constructor and operation symbols, re- 
spectively. There is at least one sort Bool containing the constructors true and 
false. The set of terms and constructor terms with variables (e.g., x,y,z) from 
X are denoted by T{C U T,X) and T{C,X), respectively. The set of variables 
occurring in a term t is denoted by Var(f). A term t is ground if Vor(t) = 0. 
A term is linear if it does not contain multiple occurrences of one variable. We 
write oJT for the list of objects Oi , . . . , o„. 

A pattern is a term of the form f{d„) where f/n G and G 

T{C,X). A term is operation-rooted if it has £m operation symbol at the root. 
root{t) denotes the symbol at the root of the term t. A position p in a term t is 
represented by a sequence of natural numbers {A denotes the empty sequence, 
i.e., the root position). Positions are ordered by the prefix ordering: u < v, if 
there exists w such that u.w = v. Given a term t, we let Vos{t) and T'Pos{t) 
denote the set of positions and the set of nonvariable positions of t, respectively. 
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t\p denotes the subterm of t at position p, and t[s]p denotes the result of replacing 
the subterm t|p by the term s (see [13] for details). 

We denote by {x\ i-> ti , . . . , ar„ t„) the substitution a with <j(xi) — t,- for 
i = 1 , . . . ,n (with Xi ^ Xj if i ^ j), and cr(x) = x for aJl other variables x. The 
set Vom(<T) = {r € I <r(x) ^ x} is called the domain of a. A substitution cr 
is (ground) constructor, if a{x) is (ground) constructor for all x € Vom{a). The 
identity substitution is denoted by id. Given a substitution 6 and a set of vari- 
ables V C A, we denote by the substitution obtained from 9 by restricting 
its domain to V. We write 6 — a [V] if 6^y = <^\v, and 9 < a [V] denotes the 
existence of a substitution 7 such that 7 o 0 = cr [V], A term t' is an instance of 
t if there is a substitution a with t' = a(t). This implies a subsumption ordering 
on terms which is defined by f < t' iff t' is an instance of t. 

A set of rewrite rules I — ^ r such that I 0 X, and Var(r) C Vor(Z) is called 
a term rewriting system (TRS). The terms I and r axe called the left-hand side 
(Ihs) and the right-hand side (rhs) of the rule, respectively. A TRS % is left- 
linear if I is linear for all Z r € 7?.. A TRS is constructor-based (CB) if each 
Ihs Z is a pattern. In the remainder of this paper, a functional logic program is a 
left-linear CB-TRS. A rewrite step is an application of a rewrite rule to a term, 
i.e., t ~^p,R s if there exists a position p in t, a rewrite rule R = I r and a 
substitution a with t\p = <r(Z) and s = t[a{r)]p. 

To evaluate terms containing variables, narrowing non-deterministically in- 
stantiates the variables such that a rewrite step is possible. Formally, t t' 

is a narrowing step if p is a non- variable position in t and cr{t) -tp.fl t'. We 
denote by to in a sequence of narrowing steps to ~><ri • • ■ ~^<r„ t„ with 
cr = cr„ o • • • o <n . Due to the presence of free veiriables, an expression may be 
reduced to different values after insteintiating free variables to different terms. In 
functional programming, one is interested in the computed value whereas logic 
programming emphasizes the different bindings (answers). Thus, for our inte- 
grated framework we define an answer expression as a paiir a | e consisting of 
a substitution a (the answer computed so far) and ein expression e. An answer 
expression cr | e is solved if e is a constructor term, otherwise it is unsolved. Since 
more than one answer may exist for expressions containing free variables, expres- 
sions are reduced to disjunctions of answer expressions. A disjunctive expression 
is a (multi-)set of answer expressions {ai J ei,...,cr„ j e„}, sometimes written 
as (o’! I ei) V ... V (an 1 e„). The set of all disjunctive expressions is denoted by 
V. 

The evaluation to ground constructor terms (emd not to arbitrary expres- 
sions) is the intended semantics of functioned languages and also of most func- 
tional logic languages. In particular, the equality predicate = used in some ex- 
amples is defined (as in functional languages) as the strict equality on terms: 

c = c — ^ true % c /0 6 C 

c(Xi, . . . ,X„) = c(Yi, . . . , Y„) -4 (Xi = Yi) & . . . & (X„ = Y„) % c/n € C 

Thus we do not treat the strict equality in any special way, and it is sufficient to 
consider it as a Boolean function which must be reduced to the constant true. 
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3 A Unified Computation Model for FL Programs with 
Delays 

The definition of needed narrowing [10] and its extension to concurrent program- 
ming [20] is based on definitional trees which have been introduced by Antoy [8] 
for the specification of efficient rewrite strategies. A definitional tree is a hierar- 
chical structure containing all rules of a defined function. T is a definitional tree 
with pattern n iff the depth of T is finite and one of the following cases holds: 

T = rule{n -¥ r), where tt -> r is a variant of a rule. 

T = branch(n, o,r,Ti,..., Tk), where o is an occurrence of a variable in tt, r e 
{rigid, flex}, ci,...,c* are different constructors of the sort of ir\o, for 
some A: > 0, and, for all i = l,...,fc, ?< is a definitional tree with pat- 
tern 7r[ci(a;i, . . . ,Xn)]o, where n is the au-ity of Cj aind xi,...,x„ are new 
vEiriables. 

A definitional tree of an n-ary function f is & definitional tree T with pattern 
f{xi,...,Xn), where xi,...,Xn are distinct variables, such that for each rule 
I -> r with I = f{ti,. ..,t„) there is a node rule(l' -t r') in T with I variant 
of In the following, we write pattern{T) for the pattern of a definitional tree 
T. A defined function is called inductively sequential if it has a definitional tree. 
A rewrite system H is called inductively sequential if all its defined functions 
are inductively sequential.^ We call a function flexible or rigid if all the branch 
nodes in its definitional tree are flex or rigid, respectively. 

Example 2. Consider the rules defining the function in Example 1. Then 

branch(J. ^ Y, \,rigid,rule{0 ^ Y — true), 

6ranc/i(s(M) ^ Y, 2, ripid,ru/e(s(M) $ 0 -t false), 

ruie(s(M) ^ s(N) -)■ M ^ N))) 

is a definitional tree of It is often convenient and simplifies understanding 
to provide a graphic representation of definitionad trees. Each inner node is 
marked with a pattern and the flex frigid amnotation, the inductive position in 
branches is surrounded by a box, and the leaves contaun the corresponding rules. 
For instance, the definitional tree for the function is illustrated in Fig. 1. 

The definitional tree of a function determines the precise strategy in order to 
evaduate a cadi to this function. Informadly, a rule node requires the application 
of this rule and a bramch node requires the examination of the subterm of this 
function call which is specified by the position in the bramch node. To provide 
concurrent computation threads, expressions cam be combined by the concurrent 
conjunction operator &, i.e., the expression ei & e^ can be reduced by reduc- 
ing either ci or C 2 . Note that we obtain the behavior of the needed narrowing 
strategy [10] if adl functions aire flexible. Moreover, functional logic languages 

^ Curry adso supports rules with overlapping left-hamd sides by providing or nodes in 
deiinitionad trees, but we omit this feature here for simplicity. 
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rigid: ^ Y 



^ ^ I — I 

0 ^ Y — >• true rigid: s(M) ^ [yJ 




s(M) ^ 0 -> false s(M) ^ s(N) M ^ N 
Fig. 1. Definitional tree for the function 



which axe based on residuation, like Life or Escher, where functions are always 
deterministically evaluated or suspended and non-determinism is encoded by 
predicates, can be modeled with programs where till (non-Boolean) functions 
axe rigid and all predicates (Boolean functions) axe flexible. 

For a precise definition of this operational semantics, it is convenient to dis- 
tinguish between complete computation steps where one reduction has been per- 
formed and incomplete computation steps which are suspended due to some rigid 
branch.^ Incomplete steps axe called degenerate in [9] in the sense that some 
vaxiables could have been instantiated but no subsequent reduction has been 
performed. We mark a substitution in an answer expression by the superscript 
s, i.e.. O’* o a' I f to denote a suspended answer expression where the reduction 
p 2 irt of the step has not been performed due to a suspension in a rigid branch. 
For convenience, we denote by tr* a composed substitution with cr = tr* o • ■ • o txi , 
and by a composed substitution with <r = o • • o<7i where <ti does not have 
the form Marks in substitutions axe only a technical cirtiflce to simplify our 
formulation and are simply ignored when composing and applying substitutions. 

denotes the set of all disjunctive expressions where each disjunct could 2 dso 
be a suspended answer expression. Then the operational semantics of Curry is 
specified by the functions (see Fig. 2): 

cs:T{CUT,X) and cst :T{CU J^,X) y. DT 

where DT stands for the set of all definitional trees. Moreover, the composi- 
tion of substitutions and the replacement of subterms is extended to disjunctive 
expressions as follows: 

{<Ti 1 ti,...,cT„ 1 t„} oa = {ai oa 1 ti,...,<T„ 0(7 1 <„} 
t[{c7i 1 tl, . . . ,CT„ I tn}]o = {o’! D 0^1 W[fl]o, • • • , <Tn 1 <7n(0[<n]o} 

As in proof procedures for logic programming, we assume that the definitional 
trees always contain new variables if they are used in a narrowing step. This 
implies that all computed substitutions zu:e idempotent (we will implicitly assume 
this property in the following). 

^ In [20], this distinction is made by a special const 2 int in the domciin of disjunctive 
expressions while here we use a special mark at substitutions in cmswer expressions. 
We find this more convenient to formulate the PE method in residuating progreims 
as will become appeirent later. 
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Computation step for a single operation-rooted term U 
cs{f{ti, . . . ,<n)) = cat(/(<i, . . . ,tn),T) if T is a definitional tree for / 

{ true if ti = = true 

(ti &:t 2 )[cs(ti)]i if ti ^ true and cs(ti) does not suspend 
(t\ &t 2 )[cs(t 2)]2 if f 2 ^ true, cs(t 2 ) does not suspend, 
and cs(ti) suspends 
id’ I ti &t 2 otherwise 



cst(t, rule{l -> r)) = id \ cr(r) if <t is a substitution with a{l) = t 
C3t{t,branch{ir , o, r,Ti, . . . ,7i)) 

( cst(t,Ti) o id if t\o = c(<i,. . and po«ern(7i)|o = c{X \,.. . , A„) 

0 if t\o = c(. . .) and pattern{Ti)\o 5 ^ c(. ..),» = 1> ^ 

= { id’ 1 1 if fjo = X and r = rigid 

u}LiCS<(<Tj(£), Ti) o Oi if t\o = X,r = flex, and (Ti = {A’ !-)• pattern(Ti)\o} 

£(cs(t|o)]o o id if t\o = /(£i , • . . , tn) 



Derivation step for a disjunctive expression: 

(<t' 1 1) VD -A (<ri on' | ti) V . . . V (<r„ on* 1 1„) V D 

if t is operation-rooted and ca{t) = cri | (1 V . . . V (Tn | tn 



Fig. 2. Operational semantics of concurrent functional logic programming 



The overall computation strategy is a tr 2 insformation on disjunctive 
expressions. It takes an operation-rooted term"* t of a non-suspended disjunct. 
Then the computation step ca{t) stemming from t is performed, and the selected 
disjunct is replaced by the computed disjunction composed with the answer 
computed to that point. A single computation step cs{t) applies a rule, if possible 
(first case of cst), or checks the subterm corresponding to the inductive position 
of the bremch (second case of cst): if it is a constructor, we proceed with the 
corresponding subtree (if possible); if it is a function, we evaluate it by recursively 
applying the strategy to this subterm; if it is a variable, we suspend (in the 
case of a rigid branch) or nondeterministically instantiate the variable to the 
constructors of all children and proceed. Hence, a concurrent conjunction of two 
expressions proceeds by evaluating the conjunct which does not suspend. We say 
that a computation D — > D' flounders if every answer expression a' jt e D' 
is suspended. A goal e flounders iff the computation stmting from e flounders. 

This strategy was first introduced in [20] and differs from \say functioned 
languages only in the possible instzmtiation of free variables and from logic lan- 
guages in the lazy evaluation of nested function calls. Moreover, logic programs 
with coroutining (i.e., delayed predicates waiting for the instantiation of some 
argument) can be modeled by the use of the concurrent conjunction operator &. 

Note that, in each recursive step during the computation of cst, we com- 
pose the current substitution with the local substitution of this step (which can 

Here we consider only the evaluation of operation-rooted terms which is sufficient for 
functional logic progr^lmming where we are interested in reducing strict equadities to 
the constant true. 
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be the identity). Thus, each computation step can be represented as cs(t) = 
V"=i o ■■■ o ail I U, where each aij is either the identity or the replace- 
ment of a single variable computed in each recursive step. This is also called 
the canonical representation of a computation step. In contrast to the classical 
definition of narrowing (see Sect. 2), the definition of — > provides all (don’t 
know nondeterministic) derivations at once by deriving an expression into a dis- 
junctive expression. In order to relate — > to the classical nondeterministic 
narrowing relation, we also write t t' if ct 1 1' 6 cs{t). 

The main difference with the needed narrowing strategy as introduced in [10] 
is the possibility that function calls may suspend and the special treatment of 
the concurrent conjunction & to deal with suspended evaluations. Therefore, we 
denote by — > and the relations defined similarly to — > and above 

but where the definition of cs{ti & ^ 2 ) is omitted and the case “id* || t if t\o = 
X and r = rigid' is replaced by 

cst{t,branch(n,o,r,Ti, . ■ ■ ,Tk)) = L>i-i cst(ai{t),Ti) o a‘ 

if t|o = X,r = rigid, and = {X i-v pattern{Ti)\o} ■ 

The fact that — > also decorates suspended bindings with the superscript s 
instead of simply omitting the case “id* [ t if t|o = X and r = rigid" and the 
condition “r = flex” in the definition of cst (giving rise to the narrowing strategy 
of [10]) will become useful in the next section. 

Note that the meaning of the concurrent conjunction & can be defined by the 
single rewrite rule true & true -¥ true which we assume to be implicitly added 
to the rewrite system when we consider needed narrowing steps. This function 
is inductively sequential and has the two definitional trees 

6ranc/i(X&;Y, 1, rigid, 6ranc/i(true&Y, 2, rigid, nz/e(true&true — t true))) 
and 

branch{X & Y, 2, rigid, branch{X & true, 1, rigid, ru/e(true & true true))). 

RN 

Now consider a term like It is obvious that a — y step where fi is 

evaluated corresponds to a needed narrowing step where the first definitional 
tree is taken for the root function &. Similarly, a — y step where t 2 is evaluated 
corresponds to a needed narrowing step with the second definitional tree for &. 
Thus, we obtain the following theorem which formalizes the relation between the 
two calculi. 

Theorem 1. Let TZ be an inductively sequential program and e a term. 

RH* 

1 . If all steps in the derivation e e' are complete, then there exists a needed 

narrowing derivation e e' in TZ. 
nh'*' 

2. If e e' is a needed narrowing derivation for e in TZ, then there exists a 

RN* 

derivation e e" such that 3y>. q}{e") ->* e' and a = tpoQ. 




A Partial Evaluation Framework for Curry Programs 



385 



4 Partial Evaluation of Residuating Functional Logic 
Programs 

In this section, we extend the framework of [6] (and, particularly, the instance 
introduced in [7]) in order to take into account delayed function calls during 
PE. Specialized definitions are basically produced by constructing a set of rules 
(called resultants) of the form 

fi(s) ti 
*^n(s) y tn 

associated to a given (partial) computation 

RM 

id Is — > {ffi [ V . . . V I t„} . 

After that, a renaming transformation is performed in order to ensure that the 
specialized definition is inductively sequential cind also to gucurantee its indepen- 
dence (in the sense of [27]). 

Informally, the renaming transformation proceeds as follows. First, eui in- 
dependent renaming p for a set of terms S is constructed, which consists of a 
mapping firom terms to terms such that for all s G 5, we have p{s) = /(^), 
where axe the distinct variables in s in the order of their first occurrence and 
/ is a fresh function symbol. We also let p{S) denote the set S' = {p(s) | s € 5}. 
While the independent renaming suffices to rename the left-hand sides of resul- 
tants (since they are constructor instances of the specialized calls), the right-hand 
sides are renamed by means of the auxiliary function renp, which recursively re- 
places each call in the given expression by a call to the corresponding renamed 
function (according to p). 

Unfortunately, the framework of PE above cannot simply be transferred to 
residuating programs, since a naive treatment of suspended czdls can give rise 
to resultants which do not preserve the program’s behavior, as illustrated in the 
following examples. 

Example 3. Consider again the rules defining the functions and “-I-” of 
Example 1, and assume now that is flexible and “-I-” is rigid. Given the 
expression X ^ Y -H 0, we have the partial computation 

id II X ^ Y 4- 0 {X = 0} 1 true V {X = s(M)}* | s(M) ^ Y -1- 0 

in which the second disjunct corresponds to ein incomplete step. The associated 
resultants £ire the following;® 

0 ^ Y + 0 — ^ true 
s(M) ^ Y -H 0 -> s(M) < Y -1- 0 

Obviously, any specialization containing the second rule does not preserve the 
semantics of the original progrzun (for the intended goals). Unfortunately, getting 
rid of this trivizJ resultant does not preserve the semantics either. 

® We do not consider the renaming of resultants since it is not relevant here. 
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The above example reveals the need to relax the standeird computation model 
during partial evaluation in order to “complete” the suspended steps in some 
suitable way. For instance, we could avoid suspensions by simply replacing — > 
with — > during PE. This raises the question of whether it is possible to infer 
safe evaluation annotations for the specialized definitions, i.e., annotations such 
that total correctness is entailed. The following example answers this question 
negatively. 

Example 4- Reconsider the program and go£d of Example 3, but use — > to 
construct the partial computation 

id J X ^ Y + 0 {X = 0} J true V {X = s(M), Y = 0} ] s(M) ^ 0 

V {X = s(M), Y = s(Z)} I s(M) ^ s(Z + 0) 

whose associated resultants are 

0 ^ Y + 0 true 
s(M) < 0 + 0 s(M) < 0 
s(M) ^ s(Z) + 0-4 s(M) ^ s(Z + 0) 

Then, neither flex nor rigid is a correct annotation for the specialized rules. 
K we assume that they are flexible, then a goal of the form s(X) ^ Y + 0 would 
succeed (with answer substitution {Y = 0}) using the speci 2 ilized rules whereas it 
suspends in the original program. On the other hand, declaring the new definition 
as rigid does not work either, since a goal X ^ Y + 0 succeeds in the original 
program (with answer {X = 0}), whereas it suspends using the specialized rules. 

Informally, the annotation flex for the specieilized function is not safe since 
the bindings for the variable Y in the Ihs of the second £ind third resultants 
have been brought by the evaluation of the rigid function “+”. Similarly, the 
annotation rigid does not work since (at runtime) it prevents the considered 
call from matching the Ihs of the first resultamt because the variable X was 
instcintiated by evaduating (at PE time) the flexible function . 

Our proposed solution is essentially as follows. We distinguish between two kinds 
of computations: those in which the initial step for the considered expression is 
incomplete and those which involve no kind of suspension (because they are 
eventually stopped before). In the latter case, we simply use the — > computa- 
tion model whereas, in the former case, we proceed to complete the degenerate 
step by using the relaxed relation — > . This allows us to infer safe evaluation 
annotations for specialized definitions as follows: 

- We annotate as flex the specialized definitions which result from compu- 
tations with no suspension. This is justified by the fact that all variable 
bindings propagated to the left-hand sides of specialized rules come from 
the evaluation of flexible functions (since evaluation of rigid functions causes 
no binding for goal variables). Thus, the handling of these specialized func- 
tions as flexible (at runtime) cannot introduce undesired bindings. 
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slist(id) = [ ] 

slist{ipk o • • • o ipi) = o • • ■ o^^^.i)J 

where 0 = o ■ ■ ■ o ipi,m = eval{ipi), and j is the 
maximum j g {1, . . . , fc} such that Vp € {1, . . . , 
eval{tpp) = eval(<pi) and eval(tpj+i) ^ eval(fpt) 



eval{ip) 



= { 



rigid if <p is marked with the superscript 8 
flex otherwise 



spi*7(l, r, (y7“J) = {^“(1) -4 rc«p(r), with evaluation annotation o} 
split(l,r, [y)“,9‘’|foil]) = {ip“(0 -t I', with eval. annotation o} U 8plit(l' ,r,[0’’\tail]) 
where 1' = /(xi, . . . ,Xn), / 6 -^inter ^ function 
symbol, and Var((p“(l)) = {xi,...,Xn}. 



Fig. 3. Auxiliary functions for partial evaluation 



— In case of a suspension, we are constrained to split resultants by introducing 
several intermediate functions with befitting evaluation annotations. This is 
necessary because the — ¥ step c£in introduce bindings which come both 
from flexible and rigid functions (as shown in Example 4) and the splitting 
avoids the mixing of bindings of different nature {flex and rigid). 

Formally, a partial evaluation based on the — > calculus (RNPE for short) is 
constructed from a set of terms S together with a set of (partiid) computations 
for the terms in S. In the following, we denote by Sinter ^ set of fresh function 
symbols. These are the symbols which are used to construct the intermediate 
functions associated to the partial evaluation of suspended expressions. 

Definition 1 (partial evaluation). LetTZ be a TRS, S = {si, . . . ,s„} a finite 
set of terms, and Ai,.. An finite (partial) — > computations for si,. ..,s„ 
in TZ of the form: 

Ak =idlsk Dk, k = l,...,n 

where all steps are complete, except (possibly) for the initial one. Let p be an 
independent renaming of S. Then, the set of rewrite rules TZ' = 

{cr‘^(p(sjfc)) -> renp{r) | | r £ Dk}k=i (non-suspension) 

u 

{split{p{sk),r, slist{9 ocr)) | 6* Q 0'{sk) € Dk, 9‘(sk) ^a- (suspension) 

is a partial evaluation of 5 in (under p) . The evaluation annotation for the 
derivations involving no suspension is flex, whereas the resultants (and their 
evaluation annotations) for the suspended derivations are computed by means of 
the auxiliary functions shown in Fig. 3. ® 

® In the definition of slist{a) we consider that a is expressed in its canonicEil repre- 
sentation. 
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Roughly speaking, the resultcints associated to (one-step) — > computations 
are split into a set of “intermediate” rules, one rule associated to ear:h sequence 
of consecutive bindings with the same superscript mark (suspended or non- 
suspended). This way, the specialized rules mimic the behaviour of the original 
functions perfectly. Note that the intermediate rules play no particular role in 
the evaluation of expressions, but are only necessary to preserve the flex or rigid 
nature of the functions in the initial program. The following example shows the 
construction of a RNPE for a suspended expression. 

Example 5. Let us consider the following rules: 

f(a, b) -> c X flex 

g(b,c) b •/. rigid 

h(c) -> *c y. flex 

A PE for f (X, g(Y,h(Z))) constructed from the (suspended) derivation 

pw 

f(X,g(Y,h(Z))) f(a,g(Y,h(Z))) 

proceeds as follows (here we assume that p(f (X,g(Y,h(Z)))) = f'(X,Y, Z)): 

NN NV 

1. First, the step f(a,g(Y,h(Z))) ^{r-+b,z^c} f(a,g(b,c)) is computed. 

2. Then, the call slist{{J. i-> a, Y b, Z i-4 c}) is undert£iken, which returns the 

set of substitutions [{X a}*^**, {Y {Z 

3. Finally, the computation of split proceeds as follows: 

sp/it(f'(X,Y,Z),f(a,g(b,c)),[{XH> a}“«,{Y {Z c}“”]) 

= {f'(a,Y,Z) fi(Y,Z)} 

Uap/if(fi(Y,Z),f(a,g(b,c)),[{Y b}'^8^^{Z i-4 c}“”]) 

= (f'(a,Y,Z) fi(Y,Z), 

fi(b,Z) f'(Z)} 

Usp/it(f^(Z),f(a,g(b,c)),[{Z c}““]) 

= {f'(a,Y,Z) fi(Y,Z), 

fi(b,Z) -> fi(Z), 
fi(c) renp(f(a,g(b,c)))} 

where “f and “f!,” are flexible, and “f'j” is rigid. 

A generJil requirement in the partial evaluation of lazy functional logic prograims 
is that no constructor-rooted expression can be evaluated during PE [5,7]. This 
is also true in our context, although we did not make this condition explicit in 
Def. 1 since the computation model is only defined for operation-rooted terms. If 
we consider the more general setting in which the operational sem^mtics is eilso 
defined for constructor-rooted terms, then this condition must appe 2 ir explicitly. 

For the correctness of partial evaluation, a closedness condition is commonly 
required which ensures that all calls which might occur during the execution 
of the specialized program are covered by some progr 2 im rule. The following is 
an easy extension of the closedness condition of [6] to the case of residuating 
programs. Informally, am operation-rooted term t is closed w.r.t. a set of calls S 
if it is an instance of a term in S and the terms in the matching substitution me 
recursively closed by 5. 
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Definition 2 (closedness). Let S be a finite set of terms. We say that a term t 
is S -closed if closed{S,t) holds, where the predicate closed is defined inductively 
as follows: 



dosed{S, t) 



( true 






^ closed(S, ti) 

t=l,...,n 

^ dosed{S,t') 



K. !•->«' 



iftex 

if t = c(Q, ce{CU {=, &} U Winter) 



if 3d, 3s 6 5 such that 0{s) = t 



We say that a set of terms T is S-dosed, written dosed{S, T), if dosed{S, t) 
holds for all t E T, and we say that a TRS 1i is S-closed if dosed{S,'R.caiia) 
holds. Here we denote the set of the rhs ’s of the rules in TZ by TZcaiis ■ 



Note that expressions rooted by an “intermediate” function symbol in JCinter 
are 5-closed by definition, independently of the considered set S. This is moti- 
vated by the fact that intermediate functions are not “visible” in the specialized 
program (i.e., they do not belong to the set of specialized calls), but are only 
intended as a mechanism to preserve the floundering behaviour. 

The following theorem states an importemt property of RNPE: if the input 
program is inductively sequential, then the specialized program is also induc- 
tively sequential. 



Theorem 2. Let TZ be an inductively sequential program and S a finite set of 
operation-rooted terms. Then each RNPE ofTZ w.r.t. S is inductively sequential. 

The following result establishes the precise relation between partial evaluations 
based on needed narrowing (without residuation, as defined in [7]), which we call 
NNPE for short, and partial evaluations as defined here. Intuitively, any RNPE 
TZ' can be transformed into an equivalent progreun TZ" (w.r.t. needed narrowing) 
by replacing each set of rules 

g(p(a)) ->■ /i(^) 

TlifliXmi)) f2{Xm2) 

Tk(fki^)) renp(r) 

associated to a suspended expression, by the new rule 

^(p(s)) -> i'enp{r), with 0 = ipk ° o ipi o a 

and ignoring all the evaluation annotations. The program constructed in this 
way is a correct NNPE of TZ w.r.t. S (under p), as formalized in the following. 



Theorem 3. Let TZ be an inductively sequential program. Let S be a finite set 
of operation-rooted terms and p an independent renaming of S. IfTZ' is a RNPE 
ofTZ w.r.t. S (under p), then there exists a NNPETZ" ofTZ w.r.t. S (under p) 

HW* Ml* 

such that, for all goals e, we have e true in TZ' iffe true in TZ" . 
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Now, we state the partial correctness of RNPE, which amounts to the full com- 
putational equivalence between the original and specialized programs when the 
considered goal does not flounder. 

Theorem 4 (partial correctness). Let TZ be an inductively sequential pro- 
gram. Let e be an equation, V D Var(e) a finite set of variables, S a finite set of 
operation-rooted terms, and p an independent renaming of S. Let TZ' be a RNPE 
ofTZ w.r.t S (under p) such that TZ' U {e'} is S' -closed, where e' = renp{e) and 
S' = p{S). 

1. If e true in TZ' , then e t and tp{t) -¥* true in TZ with a' =■ ipo a [V]. 

2. If e true in TZ, then e t and q>{t') —>* true in TZ' with a = ipoa' [V], 

Loosely speaking, the previous result establishes that, if evaluation annotations 
are not considered (that is, no function calls are delayed), then the specialized 
program TP is able to produce the same answers (computed by needed nar- 
rowing) as the original one TZ (and vice versa). The preservation of floundering- 
freeness (i.e., absence of floundering) for the intended goals is needed to establish 
the total correctness of the transformation. On the other hand, it ensures that 
the transformation does not introduce additional floundering points, which is of 
crucial importance when we are using the transformation for optimizing a pro- 
gram. Moreover, this feature may allow us to use the transformation as a tool 
for proving floundering-freeness of the original program (see Example 7). In fact, 
if after the transformation we can state that TZ' U {e'} does not flounder, then 
we are also sure that {e} does not flounder either, where e' = renp(e). 

Unfortunately, the recursive notion of closedness introduced in Def. 2 is too 
weak (generous) to preserve the floundering behaviour, as illustrated by the 
following example. 

Example 6. Let us consider the following set of rules: 

f(X,a) g(X) 7. flex h(a) b 7. rigid 

g(b) c 7. flex 

A RNPE of {f(X,Y),h(X)> under p = {f(X,Y) f'(X,Y), h(X) h'(X)} is 

f'(b, a) c 7. flex 
h'(a) -¥ b 7. rigid 

Now, the S-closed expression f (h(X),X) has the following successful computation 
in the original program 

id 1 f (h(X),X) {X a} 1 g(h(a)) {X a} I g(b) {X a} | c 

whereas p(f (h(X), X)) = f '(h'(X), X) may suspend in the specialized program, e.g., 
by considering the following definitional tree 

branch(f'(X., Y), l,flex, 

branch{t'{b,Y),2,flex, 

rule{f'{h, a) -V c))) 



for the specialized function f'. 
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Informally, the problem is that the recursive notion of closedness only works 
when the considered operational model is compositional, as it essentially exploits 
the fact that the meaning of a complex expression f(h(X),X) can be retrieved 
from the semantics of its “unnested” constituents f (Y, X) and h(X) [6]. However, 
the — > calculus is not compositional due to the presence of delayed function 
calls, and hence the meaning of the call f(h(X),X) (which does not flounder) 
cannot be obtained from the meaning of the calls f(Y, X) and h(X) since the 
second one flounders. Thus, we consider in the following a restricted notion of 
closedness (called basic closedness in [6], in symbols dosedr) which is defined 
as the recursive closedness of Def. 2 except for the case 

dosed(S, t) = ^ dosed(S, t') if 39, 3s £ S such that 9(s) = t 

which is replaced by the more simple condition 

dosed~ (S,t) = true if 30,3s € 5 such that 9{s) = t and 6 is constructor. 

The following result states the equivalence between the original and specialized 
programs w.r.t. floundering-freeness. 

Theorem 5 (floundering-freeness). Let Ti he an inductively sequential pro- 
gram, e an equation, S a finite set of operation-rooted terms, and p an inde- 
pendent renaming of S. Let TV he a RNPE of TZ w.r.t. S (under p) such that 
TV U {e'} is S'-closed~ , where e' = renp(e) and S' = p{S). Then, e flounders in 
71 iff e' flounders in TZ' . 

As a corollary of Theorems 4 and 5, we can establish the total correctness of the 
transformation. 

Theorem 6 (total correctness). Let TZ he an inductively sequential program. 
Let e be an equation, V D Vor(e) a finite set of variables, S a finite set of 
operation-rooted terms, and p an independent renaming of S. Let TZ' be a RNPE 
of TZ w.r.t. S (under p) such that TZ' U {e'} is S'-dosed~ , where e' = renp(e) 
and S' = p{S). 

1. If e' true in TZ' , then e true in TZ where cr' = a [V^] (soundness) 

rn"** rh* 

S. If e true in TZ, then e' true in TZ' where a' = a [V] (completeness) 

5 Some Experiments 

The Indy system vl.8 is a rather concise implementation of a partial evaduator 
for functional logic programs (a detailed description of the system can be found 
in [3]). The partial evaluator described in Sect. 4 has been implemented in the 
Indy system and used to conduct some experiments (extracted from the Curry 
library^) which illustrate the advantages of the RNPE method in the context of 
residuating functional logic progreims as well as the practicality of our approa«:h. 

^ Available from URL: http://www-i2.inrormatik.rwth-aachen.de/~haiius/curry. 
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X + Y = Z & isNat(X) Y = Z & true 

{* {* »(*')} {Y >-> 0, Z i-f 0} *(’’')• 

/ \ Z i-> s(Z')} 

0 + Y = Z & true s(X') + Y = Z & isNat(X') true & true X' = Z' & true 



Y = Z & true s(X' + Y) = Z & isNat(X') true 

{Y 0, y^-^{Y ,(Y'). I r, 

z ^ 0 } / ^\Z »(z')} ^ 



true & true Y' = Z' & true X' + Y = Z' & isNat(X') 



true 



Fig. 4. Partial computations for X + Y = Z & isNat(X) ^tnd Y = Z & true 



Let us introduce an example which shows that RNPE can be used for proving 
flounder ing-freeness of a class of goals in a given program. 

Example 7. Consider the following program which defines the arithmetic addi- 
tion and the predicate isNat, which returns true when the argument is a natural 
number: 



0 + Y — ^ Y isNat(O) -¥ true 

s(X) + Y -> s(X -1- Y) isNat(s(X)) isNat(X) 

where “-1-” is rigid and “isNat” is flexible. Let 5={X-1-Y = Z& isNat(X), Y = 
Z & true} and consider the independent renaming p={X-l-Y = Z&; isNat(X) 
and3(X, Y, Z), Y = Z & true emd2(Y, Z)}. Now, by considering the partial com- 

putations depicted in Fig. 4,® the following RNPE of the program w.r.t. 5 (under 
p) is constructed; 

and3(0, 0, 0) true and2(0, 0) — ^ true 

and3(0, s(Y), s(Z)) -> and2(Y, Z) and2(s(X), s(Y)) and2(X, Y) 

and3(s(X),Y,s(Z)) and3(X,Y,Z) 

where both and3 and and2 are flexible functions. Then, for proving floundering- 
freeness it is sufficient to check that no operation symbol of the resulting partially 
evaluated program has a rigid annotation. For instamce, one can easily see that 
the goal X -t- Y = Z& isNat(X) is floundering-free in the residual program (hence 
in the origined), since the program has no rigid functions, while in the original 
program this is not immediate. 

In the next ex£imple, we intend to show that RNPE can be also used to simplify 
the dynamic behavior of a program, thus eillowing us to achieve a significant 
optimization. 

® Here we assume that the strict equ 2 dity = is flexible. 
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Example 8. Consider the classical map coloring program which assigns a color to 
each of four countries such that countries with a common border have different 
colors; 

isColor(red) — > true 

isColor(yellow) — > true 

isColor (green) — > true 

coloring(ll, 12, 13, 14) — > isColor(ll) & isColor(l2) 

& isColor(13) & isColor(14) 
correct(ll,12,13,14) diff (11, 12) &diff (11, 13) 

&dif f (12, 14) &dif f (13, 14) 

where the predefined function diff is the only rigid function (it makes use of the 
strict equality predicate in order to check whether its cirguments are different). 
Now, we consider the specizJization of the expression correct(ll, 12, 13, 14) & 
coloring(ll, 12, 13, 14), which gives the following specialized program: 

and4(red, yellow, green, red) -¥ true 

and4(red, green, yellow, red) —¥ true 
and4(yellow, red, green, yellow) —¥ true 
2ind4(yellow, green, red, yellow) -4 true 
and4(green, red, yellow, green) ->^ true 
and4(green, yellow, red, green) -4 true 

where some potential colorings have been discarded, thus simplifying the dy- 
namic behavior of the program and achieving a significant speedup (actually it 
runs 23 times faster). 

Our preliminary experiments show that RNPE is able to produce significant 
speed-up’s on severed typiczJ concurrent Curry programs. Moreover, it is a con- 
servative extension of the previous iNDY system based on needed naurrowing, 
since RNPE boils down to NNPE when all program functions are flexible. 

6 Conclusions 

We have presented a general partial evaluation framework for Curry, a truly 
lazy functional logic language whose development is an international initiative 
intended to provide a standard for the area. The framework derives from that 
of [7] and extends it to the combination of needed narrowing and residuation. 
The extended framework adlows us to safely deed with the evaluation annota- 
tions, which is crucial for controlling unfolding during PE as well as for correctly 
synthesizing evaluation annotations for the specialized functions. 

Despite the practical importance of logic programs with dynamic scheduling, 
there has been surprisingly little work devoted to their specialization. The only 
tremsformation freunework that we eire aware of for logic languages with delays is 
that of Etalle and Gabbrielli [14], which is based on the fold/unfold approach to 
program transformation. It diSers from our methodology, since our framework is 
based on the (automatic) PE approach and applies to logic languages with lazy 
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functions. Moreover, we allow unfolding of suspended expressions at PE time, 
which is not the case of [14]. 

An interesting prospect for future work is to extend the framework to en- 
compass the PE of non-deterministic (i.e., non-confluent) functions, which is 
ahead of the state of the art as we know it even for pure functional program- 
ming languages [23]. We are also considering how to discover slices of code in 
the residual program which are “semantically dead” , according to the considered 
operational principle of functional logic programs with delays, since they can be 
safely removed without influencing the intended result. 
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